CoRE

Internet Engineering Task Force (IETF)                    C. Amsüss, Ed.
Internet-Draft
Intended status:
Request for Comments: 9176
Category: Standards Track                                      Z. Shelby
Expires: 8 September 2021
ISSN: 2070-1721                                                      ARM
                                                               M. Koster
                                                             SmartThings
                                                              C. Bormann
                                                 Universitaet Bremen TZI
                                                         P. van der Stok
                                                              consultant
                                                            7 March 2021

                        CoRE
                                                              Consultant
                                                           February 2022

       Constrained RESTful Environments (CoRE) Resource Directory
                 draft-ietf-core-resource-directory-28

Abstract

   In many IoT Internet of Things (IoT) applications, direct discovery of
   resources is not practical due to sleeping nodes, nodes or networks where
   multicast traffic is inefficient.  These problems can be solved by
   employing an entity called a Resource Directory (RD), which contains
   information about resources held on other servers, allowing lookups
   to be performed for those resources.  The input to an RD is composed
   of links links, and the output is composed of links constructed from the
   information stored in the RD.  This document specifies the web
   interfaces that an RD supports for web servers to discover the RD and
   to register, maintain, lookup look up, and remove information on resources.
   Furthermore, new target attributes useful in conjunction with an RD
   are defined.

Note to Readers

   Discussion of this document takes place on the CORE Working Group
   mailing list (core@ietf.org), which is archived at
   https://mailarchive.ietf.org/arch/browse/core/
   (https://mailarchive.ietf.org/arch/browse/core/).

   Source for this draft and an issue tracker can be found at
   https://github.com/core-wg/resource-directory (https://github.com/
   core-wg/resource-directory).

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list  It represents the consensus of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid the IETF community.  It has
   received public review and has been approved for a maximum publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of six months RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be updated, replaced, or obsoleted by other documents obtained at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 8 September 2021.
   https://www.rfc-editor.org/info/rfc9176.

Copyright Notice

   Copyright (c) 2021 2022 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info)
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Revised BSD License text as described in Section 4.e of the
   Trust Legal Provisions and are provided without warranty as described
   in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   4
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Architecture and Use Cases  . . . . . . . . . . . . . . . . .   6
     3.1.  Principles  . . . . . . . . . . . . . . . . . . . . . . .   6
     3.2.  Architecture  . . . . . . . . . . . . . . . . . . . . . .   7
     3.3.  RD Content Model  . . . . . . . . . . . . . . . . . . . .   8
     3.4.  Link-local addresses  Link-Local Addresses and zone identifiers . . . . . . . .  12 Zone Identifiers
     3.5.  Use Case: Cellular M2M  . . . . . . . . . . . . . . . . .  12
     3.6.  Use Case: Home and Building Automation  . . . . . . . . .  13
     3.7.  Use Case: Link Catalogues . . . . . . . . . . . . . . . .  14
   4.  RD discovery Discovery and other interface-independent components . . .  14 Other Interface-Independent Components
     4.1.  Finding a Resource Directory  . . . . . . . . . . . . . .  15
       4.1.1.  Resource Directory Address Option (RDAO)  . . . . . .  17
       4.1.2.  Using DNS-SD to discover Discover a Resource Directory . . . .  18
     4.2.  Payload Content Formats . . . . . . . . . . . . . . . . .  19
     4.3.  URI Discovery . . . . . . . . . . . . . . . . . . . . . .  19
   5.  Registration  . . . . . . . . . . . . . . . . . . . . . . . .  22
     5.1.  Simple Registration . . . . . . . . . . . . . . . . . . .  26
     5.2.  Third-party registration  . . . . . . . . . . . . . . . .  29  Third-Party Registration
     5.3.  Operations on the Registration Resource . . . . . . . . .  29
       5.3.1.  Registration Update . . . . . . . . . . . . . . . . .  30
       5.3.2.  Registration Removal  . . . . . . . . . . . . . . . .  33
       5.3.3.  Further operations  . . . . . . . . . . . . . . . . .  34 Operations
       5.3.4.  Request freshness . . . . . . . . . . . . . . . . . .  34 Freshness
   6.  RD Lookup . . . . . . . . . . . . . . . . . . . . . . . . . .  36
     6.1.  Resource lookup . . . . . . . . . . . . . . . . . . . . .  37 Lookup
     6.2.  Lookup filtering  . . . . . . . . . . . . . . . . . . . .  37 Filtering
     6.3.  Resource lookup examples  . . . . . . . . . . . . . . . .  40 Lookup Examples
     6.4.  Endpoint lookup . . . . . . . . . . . . . . . . . . . . .  42 Lookup
   7.  Security policies . . . . . . . . . . . . . . . . . . . . . .  43 Policies
     7.1.  Endpoint name . . . . . . . . . . . . . . . . . . . . . .  44 Name
       7.1.1.  Random endpoint names . . . . . . . . . . . . . . . .  44 Endpoint Names
     7.2.  Entered resources . . . . . . . . . . . . . . . . . . . .  44 Resources
     7.3.  Link confidentiality  . . . . . . . . . . . . . . . . . .  45 Confidentiality
     7.4.  Segmentation  . . . . . . . . . . . . . . . . . . . . . .  45
     7.5.  First-Come-First-Remembered:  "First Come First Remembered": A default policy . . . . . .  46 Default Policy
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  47
     8.1.  Discovery . . . . . . . . . . . . . . . . . . . . . . . .  48
     8.2.  Endpoint Identification and Authentication  . . . . . . .  48
     8.3.  Access Control  . . . . . . . . . . . . . . . . . . . . .  49
     8.4.  Denial of Service  Denial-of-Service Attacks . . . . . . . . . . . . . . . .  49
     8.5.  Skipping freshness checks . . . . . . . . . . . . . . . .  50 Freshness Checks
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  50
     9.1.  Resource Types  . . . . . . . . . . . . . . . . . . . . .  50
     9.2.  IPv6 ND Resource Directory Address Option . . . . . . . .  51
     9.3.  RD Parameter Parameters Registry . . . . . . . . . . . . . . . . . .  51
       9.3.1.  Full description Description of the "Endpoint Type" RD Parameter . . . . . . . . . . . . . . . . . . . . . .  54
     9.4.  "Endpoint Type"  Endpoint Type (et=) RD Parameter values . . . . . . . .  54 Values
     9.5.  Multicast Address Registration  . . . . . . . . . . . . .  55
     9.6.  Well-Known URIs . . . . . . . . . . . . . . . . . . . . .  55
     9.7.  Service Names Name and Transport Protocol Port Number Registry  . . . . . . . . . . . . . . . . . . . . . . . .  55
   10. Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .  56
     10.1.  Lighting Installation  . . . . . . . . . . . . . . . . .  56
       10.1.1.  Installation Characteristics . . . . . . . . . . . .  56
       10.1.2.  RD entries . . . . . . . . . . . . . . . . . . . . .  57 Entries
     10.2.  OMA Lightweight M2M (LwM2M)  . . . . . . . . . . . . . .  60
   11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  61
   12. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . .  61
   13. References  . . . . . . . . . . . . . . . . . . . . . . . . .  76
     13.1.
     11.1.  Normative References . . . . . . . . . . . . . . . . . .  76
     13.2.
     11.2.  Informative References . . . . . . . . . . . . . . . . .  77
   Appendix A.  Groups Registration and Lookup . . . . . . . . . . .  80
   Appendix B.  Web links Links and the Resource Directory . . . . . . . .  82
     B.1.  A simple example  . . . . . . . . . . . . . . . . . . . .  82 Simple Example
       B.1.1.  Resolving the URIs  . . . . . . . . . . . . . . . . .  82
       B.1.2.  Interpreting attributes Attributes and relations . . . . . . . .  83 Relations
     B.2.  A slightly more complex example . . . . . . . . . . . . .  83 Slightly More Complex Example
     B.3.  Enter the Resource Directory  . . . . . . . . . . . . . .  84
     B.4.  A note Note on differences Differences between link-format Link-Format and Link header
           fields  . . . . . . . . . . . . . . . . . . . . . . . . .  86 Header
           Fields
   Appendix C.  Limited Link Format  . . . . . . . . . . . . . . . .  86
   Acknowledgments
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  87

1.  Introduction

   In the work on Constrained RESTful Environments (CoRE), a REST
   Representational State Transfer (REST) architecture suitable for
   constrained nodes (e.g. (e.g., with limited RAM and ROM [RFC7228]) and
   networks (e.g. 6LoWPAN (e.g., IPv6 over Low-Power Wireless Personal Area Network
   (6LoWPAN) [RFC4944]) has been established and is used in Internet-of-Things Internet of
   Things (IoT) or machine-to-
   machine machine-to-machine (M2M) applications applications, such as smart
   energy and building automation.

   The discovery of resources offered by a constrained server is very
   important in machine-to-machine applications where there are no
   humans in the loop and static interfaces result in fragility.  The
   discovery of resources provided by an HTTP Web Server web server is typically
   called Web Linking web linking [RFC8288].  The use of Web Linking web linking for the
   description and discovery of resources hosted by constrained web
   servers is specified by the CoRE Link Format [RFC6690].  However,
   [RFC6690] only describes how to discover resources from the web
   server that hosts them by querying /.well-known/core.  In many
   constrained scenarios, direct discovery of resources is not practical
   due to sleeping nodes, nodes or networks where multicast traffic is
   inefficient.  These problems can be solved by employing an entity
   called a Resource Directory (RD), which contains information about
   resources held on other servers, allowing lookups to be performed for
   those resources.

   This document specifies the web interfaces that an RD supports for
   web servers to discover the RD and to register, maintain, lookup look up,
   and remove information on resources.  Furthermore, new target
   attributes useful in conjunction with an RD are defined.  Although
   the examples in this document show the use of these interfaces with CoAP
   the Constrained Application Protocol (CoAP) [RFC7252], they can be
   applied in an equivalent manner to HTTP [RFC7230].

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   The term "byte" is used in its now customary sense as a synonym for
   "octet".

   This specification requires readers to be familiar with all the terms
   and concepts that are discussed in [RFC3986], [RFC8288] [RFC8288], and
   [RFC6690].  Readers should also be familiar with the terms and
   concepts discussed in [RFC7252].  To describe the REST interfaces
   defined in this specification, the URI Template format is used
   [RFC6570].

   This specification makes use of the following additional terminology:

   resolve against

   Resolve Against
      The expression "a URI-reference is _resolved against_ a base URI"
      is used to describe the process of [RFC3986] [RFC3986], Section 5.2.
      Noteworthy corner cases are that that, if the URI-reference is a (full)
      URI and resolved against any base URI, that gives the original
      full URI, URI and that resolving an empty URI reference gives the base
      URI without any fragment identifier.

   Resource Directory (RD)
      A web entity that stores information about web resources and
      implements the REST interfaces defined in this specification for
      discovery, for the creation, maintenance maintenance, and removal of
      registrations, and for lookup of the registered resources.

   Sector
      In the context of an RD, a sector is a logical grouping of
      endpoints.

      The abbreviation "d=" is used for the sector in query parameters
      for compatibility with deployed implementations.

   Endpoint (EP)
      Endpoint (EP) is a term used to describe a web server or client in
      [RFC7252].  In the context of this specification specification, an endpoint is
      used to describe a web server that registers resources to the RD.
      An endpoint is identified by its endpoint name, which is included
      during registration, and has a unique name within the associated
      sector of the registration.

   Registration Base URI
      The Base base URI of a Registration registration is a URI that typically gives
      scheme and authority information about an Endpoint. endpoint.  The
      Registration Base
      registration base URI is provided at registration time, time and is used
      by the RD to resolve relative references of the registration into
      URIs.

   Target
      The target of a link is the destination address (URI) of the link.
      It is sometimes identified with "href=", "href=" or displayed as <target>.
      Relative targets need resolving with respect to the Base base URI
      (section
      (Section 5.2 of [RFC3986]).

      This use of the term Target "target" is consistent with [RFC8288]'s use of the term. use in
      [RFC8288].

   Context
      The context of a link is the source address (URI) of the link, link and
      describes which resource is linked to the target.  A link's
      context is made explicit in serialized links as the "anchor="
      attribute.

      This use of the term Context "context" is consistent with [RFC8288]'s use of the term. use in
      [RFC8288].

   Directory Resource
      A directory resource is a resource in the RD containing
      registration resources.

   Registration Resource
      A registration resource is a resource in the RD that contains
      information about an Endpoint endpoint and its links.

   Commissioning Tool (CT)
      A Commissioning Tool (CT) is a device that assists during
      installation events by assigning values to parameters, naming
      endpoints and groups, or adapting the installation to the needs of
      the applications.

   Registrant-ep
      Registrant-ep
      A registrant-ep is the endpoint that is registered into the RD.
      The registrant-ep can register itself, or a CT registers the
      registrant-ep.

   RDAO

   Resource Directory Address Option. Option (RDAO)
      A Resource Directory Address Option (RDAO) is a new IPv6 Neighbor
      Discovery option defined for announcing an RD's address.

3.  Architecture and Use Cases

3.1.  Principles

   The RD is primarily a tool to make discovery operations more
   efficient than querying /.well-known/core on all connected devices, devices or
   across boundaries that would limit those operations.

   It provides information about resources hosted by other devices that
   could otherwise only be obtained by directly querying the /.well-
   known/core resource on these other devices, either by a unicast
   request or a multicast request.

   Information SHOULD only be stored in the RD if it can be obtained by
   querying the described device's /.well-known/core resource directly.

   Data in the RD can only be provided by the device which that hosts those the data
   or a dedicated Commissioning Tool (CT).  These CTs act on behalf of
   endpoints too constrained, or generally unable, to present that
   information themselves.  No other client can modify data in the RD.
   Changes to the information in the RD do not propagate automatically
   back to the web servers from where the information originated.

3.2.  Architecture

   The RD architecture is illustrated in Figure 1.  An RD is used as a
   repository of registrations describing resources hosted on other web
   servers, also called endpoints (EP). (EPs).  An endpoint is a web server
   associated with a scheme, IP address address, and port.  A physical node may
   host one or more endpoints.  The RD implements a set of REST
   interfaces for endpoints to register and maintain RD registrations, registrations
   and for endpoints to lookup look up resources from the RD.  An RD can be
   logically segmented by the use of Sectors. sectors.

   A mechanism to discover an RD using CoRE Link Format [RFC6690] is
   defined.

   Registrations in the RD are soft state and need to be periodically
   refreshed.

   An endpoint uses specific interfaces to register, update update, and remove
   a registration.  It is also possible for an RD to fetch Web Links web links
   from endpoints and add their contents to its registrations.

   At the first registration of an endpoint, a "registration resource"
   is created, the location of which is returned to the registering
   endpoint.  The registering endpoint uses this registration resource
   to manage the contents of registrations.

   A lookup interface for discovering any of the Web Links web links stored in the
   RD is provided using the CoRE Link Format.

              Registration         Lookup
               Interface         Interface
   +----+          |                 |
   | EP |----      |                 |
   +----+    ----  |                 |
                 --|-    +------+    |
   +----+          | ----|      |    |     +--------+
   | EP | ---------|-----|  RD  |----|-----| Client |
   +----+          | ----|      |    |     +--------+
                 --|-    +------+    |
   +----+    ----  |                 |
   | CT |----      |                 |
   +----+

                       Figure 1: The RD architecture. Architecture

   A Registrant-EP registrant-ep MAY keep concurrent registrations to more than one RD
   at the same time if explicitly configured to do so, but that is not
   expected to be supported by typical EP implementations.  Any such
   registrations are independent of each other.  The usual expectation
   when multiple discovery mechanisms or addresses are configured is
   that they constitute a fall-back path for a single registration.

3.3.  RD Content Model

   The Entity-Relationship (ER) models shown in Figure Figures 2 and Figure 3 model
   the contents of /.well-known/core and the RD respectively, with
   entity-relationship diagrams [ER].  Entities (rectangles) are used
   for concepts that exist independently.  Attributes (ovals) are used
   for concepts that exist only in connection with a related entity.
   Relations (diamonds) give a semantic meaning to the relation between
   entities.  Numbers specify the cardinality of the relations.

   Some of the attribute values are URIs.  Those values are always full
   URIs and never relative references in the information model.  They
   can, however,
   However, they can be expressed as relative references in
   serializations, and they often are.

   These models provide an abstract view of the information expressed in
   link-format documents and an RD.  They cover the concepts, concepts but not
   necessarily all details of an RD's operation; they are meant to give
   an overview, overview and not be a template for implementations.

              +----------------------+
              |   /.well-known/core  |
              +----------------------+
                         |
                         | 1
                 ////////\\\\\\\
                <    contains   >
                 \\\\\\\\///////
                         |
                         | 0+
               +--------------------+
               |      link          |
               +--------------------+
                         |
                         |  1   oooooooo
                         +-----o target o
                         |      oooooooo
    oooooooooooo   0+    |
   o    target  o--------+
   o  attribute o        | 0+   oooooo
    oooooooooooo         +-----o rel  o
                         |      oooooo
                         |
                         | 1    ooooooooo
                         +-----o context o
                                ooooooooo

           Figure 2: ER Model of the content Content of /.well-known/core

   The model shown in

   Figure 2 models the contents of /.well-known/core /.well-known/core, which contains:

   * contains a
   set of links belonging to the hosting web server server.

   The web server is free to choose links it deems appropriate to be
   exposed in its /.well-known/core.  Typically, the links describe
   resources that are served by the host, but the set can also contain
   links to resources on other servers (see examples in [RFC6690] page
   14). Section 5 of
   [RFC6690]).  The set does not necessarily contain links to all
   resources served by the host.

   A link has the following attributes (see Section 5 of [RFC8288]):

   *  Zero or more link relations: They describe relations between the
      link context and the link target.

      In link-format serialization, they are expressed as space-
      separated values in the "rel" attribute, attribute and default to "hosts".

   *  A link context URI: It defines the source of the relation, e.g. e.g.,
      _who_ "hosts" something.

      In link-format serialization, it is expressed in the "anchor"
      attribute and defaults to the Origin of the target (practically: (practically,
      the target with its path and later components removed) removed).

   *  A link target URI: It defines the destination of the relation
      (e.g.
      (e.g., _what_ is hosted), hosted) and is the topic of all target
      attributes.

      In link-format serialization, it is expressed between angular
      brackets,
      brackets and sometimes called the "href".

   *  Other target attributes (e.g. (e.g., resource type (rt), interface (if),
      or content format (ct)). (ct)): These provide additional information
      about the target URI.

                    +--------------+
                    +      RD      +
                    +--------------+
                           | 1
                           |
                           |
                           |
                           |
                      //////\\\\
                     < contains >
                      \\\\\/////
                           |
                        0+ |
    ooooooo     1  +---------------+
   o  base o-------|  registration |
    ooooooo        +---------------+
                       |       | 1
                       |       +--------------+
          oooooooo   1 |                      |
         o  href  o----+                 /////\\\\
          oooooooo     |                < contains >
                       |                 \\\\\/////
          oooooooo   1 |                      |
         o   ep   o----+                      | 0+
          oooooooo     |             +------------------+
                       |             |      link        |
          oooooooo 0-1 |             +------------------+
         o    d   o----+                      |
          oooooooo     |                      |  1   oooooooo
                       |                      +-----o target o
          oooooooo   1 |                      |      oooooooo
         o   lt   o----+     ooooooooooo   0+ |
          oooooooo     |    o  target   o-----+
                       |    o attribute o     | 0+   oooooo
       ooooooooooo 0+  |     ooooooooooo      +-----o rel  o
      o  endpoint o----+                      |      oooooo
      o attribute o                           |
       ooooooooooo                            | 1   ooooooooo
                                              +----o context o
                                                    ooooooooo

                Figure 3: ER Model of the content Content of the RD

   The model shown in

   Figure 3 models the contents of the RD RD, which
   contains contains, in addition
   to /.well-known/core:

   * /.well-known/core, 0 to n Registrations registrations of endpoints, endpoints.

   A registration is associated with one endpoint.  A registration
   defines a set of links links, as defined for /.well-known/core.  A
   Registration
   registration has six types of attributes:

   *  an endpoint name ("ep", a Unicode string) unique within a sector

   *  a Registration Base registration base URI ("base", a URI typically describing the
      scheme://authority part)

   *  a lifetime ("lt"), ("lt")

   *  a registration resource location inside the RD ("href"), ("href")

   *  optionally  optionally, a sector ("d", a Unicode string)

   *  optional additional endpoint attributes (from Section 9.3)

   The cardinality of "base" is currently 1; future documents are
   invited to extend the RD specification to support multiple values
   (e.g.  [I-D.silverajan-core-coap-protocol-negotiation]).
   (e.g., [COAP-PROT-NEG]).  Its value is used as a Base base URI when
   resolving URIs in the links contained in the endpoint.

   Links are modelled modeled as they are in Figure 2.

3.4.  Link-local addresses  Link-Local Addresses and zone identifiers Zone Identifiers

   Registration Base base URIs can contain link-local IP addresses.  To be
   usable across hosts, those cannot be serialized to contain zone
   identifiers (see [RFC6874] [RFC6874], Section 1).

   Link-local addresses can only be used on a single link (therefore (therefore, RD
   servers cannot announce them when queried on a different link), and
   lookup clients using them need to keep track of which interface they
   got them from.

   Therefore, it is advisable in many scenarios to use addresses with
   larger scope scopes, if available.

3.5.  Use Case: Cellular M2M

   Over the last few years, mobile operators around the world have
   focused on development of M2M solutions in order to expand the
   business to the new type of users: machines.  The machines are
   connected directly to a mobile network using an appropriate embedded
   wireless interface (GSM/GPRS, WCDMA, (GSM/General Packet Radio Service (GPRS), Wideband
   Code Division Multiple Access (W-CDMA), LTE) or via a gateway
   providing
   short short- and wide range wide-range wireless interfaces.  The ambition in
   such systems is to build them from reusable components.  These speed
   up development and deployment, deployment and enable shared use of machines
   across different applications.  One crucial component of such systems
   is the discovery of resources (and thus the endpoints they are hosted
   on) capable of providing required information at a given time or
   acting on instructions from the end users.

   Imagine a scenario where endpoints installed on vehicles enable
   tracking of the position of these vehicles for fleet management
   purposes and allow monitoring of environment parameters.  During the
   boot-up process process, endpoints register with an RD, which is hosted by
   the mobile operator or somewhere in the cloud.  Periodically, these
   endpoints update their registration and may modify resources they
   offer.

   When endpoints are not always connected, for example example, because they
   enter a sleep mode, a remote server is usually used to provide proxy
   access to the endpoints.  Mobile apps or web applications for
   environment monitoring contact the RD, look up the endpoints capable
   of providing information about the environment using an appropriate
   set of link parameters, obtain information on how to contact them
   (URLs of the proxy server), and then initiate interaction to obtain
   information that is finally processed, displayed on the screen screen, and
   usually stored in a database.  Similarly, fleet management systems
   provide the appropriate link parameters to the RD to look up for EPs
   deployed on the vehicles the application is responsible for.

3.6.  Use Case: Home and Building Automation

   Home and commercial building automation systems can benefit from the
   use of IoT web services.  The discovery requirements of these
   applications are demanding.  Home automation usually relies on run-
   time discovery to commission the system, whereas whereas, in building
   automation
   automation, a combination of professional commissioning and run-time
   discovery is used.  Both home and building automation involve peer-
   to-peer interactions between endpoints, endpoints and involve battery-powered
   sleeping devices.  Both can use the common RD infrastructure to
   establish device interactions efficiently, efficiently but can pick security
   policies suitable for their needs.

   Two phases can be discerned for a network servicing the system: (1)
   installation and (2) operation.  During the operational phase, the
   network is connected to the Internet with a Border Router (e.g. border router (e.g., a
   6LoWPAN Border Router (6LBR), see [RFC6775]) (6LBR) [RFC6775]), and the nodes connected to
   the network can use the Internet services that are provided by the
   Internet Provider IP
   or the network administrator.  During the installation phase, the network
   is completely stand-alone, no Border
   Router border router is connected, and the
   network only supports the IP communication between the connected
   nodes.  The installation phase is usually followed by the operational
   phase.  As an RD's operations work without hard dependencies on names
   or addresses, it can be used for discovery across both phases.

3.7.  Use Case: Link Catalogues

   Resources may be shared through data brokers that have no knowledge
   beforehand of who is going to consume the data.  An RD can be used to
   hold links about resources and services hosted anywhere to make them
   discoverable by a general class of applications.

   For example, environmental and weather sensors that generate data for
   public consumption may provide data to an intermediary server, server or
   broker.  Sensor data are published to the intermediary upon changes
   or at regular intervals.  Descriptions of the sensors that resolve to
   links to sensor data may be published to an RD.  Applications wishing
   to consume the data can use RD Lookup lookup to discover and resolve links
   to the desired resources and endpoints.  The RD service need not be
   coupled with the data intermediary service.  Mapping of RDs to data
   intermediaries may be many-to-many.

   Metadata in web link formats like [RFC6690] the one defined in [RFC6690], which
   may be internally stored as triples, triples or relation/attribute pairs
   providing metadata about resource links, need to be supported by RDs.
   External catalogues that are represented in other formats may be
   converted to common web linking formats for storage and access by
   RDs.  Since it is common practice for these to be encoded in URNs
   [RFC8141], simple and lossless structural transforms should generally
   be sufficient to store external metadata in RDs.

   The additional features of an RD allow sectors to be defined to
   enable access to a particular set of resources from particular
   applications.  This provides isolation and protection of sensitive
   data when needed.  Application groups with multicast addresses may be
   defined to support efficient data transport.

4.  RD discovery Discovery and other interface-independent components Other Interface-Independent Components

   This and the following sections define the required set of REST
   interfaces between an RD, endpoints endpoints, and lookup clients.  Although
   the examples throughout these sections assume the use of CoAP
   [RFC7252], these REST interfaces can also be realized using HTTP
   [RFC7230].  The multicast discovery and simple registration
   operations are exceptions to that, as they rely on mechanisms
   unavailable in HTTP.  In all definitions in these sections, both CoAP
   response codes (with dot notation) and HTTP response codes (without
   dot notation) are shown.  An RD implementing this specification MUST
   support the discovery, registration, update, lookup, and removal
   interfaces.

   All operations on the contents of the RD MUST be atomic and
   idempotent.

   For several operations, interface templates are given in list form;
   those describe the operation participants, request codes, URIs,
   content formats formats, and outcomes.  Sections of those templates contain
   normative content about Interaction, Method, URI Template Template, and URI
   Template Variables Variables, as well as the details of the Success condition.
   The additional sections on for options like Content-Format (like Content-Format) and on for
   Failure codes give typical cases that an implementation of the RD
   should deal with.  Those serve to illustrate the typical responses to
   readers who are not yet familiar with all the details of CoAP based CoAP-based
   interfaces; they do not limit what a server may respond under
   atypical circumstances.

   REST clients (registrant-EPs (registrant-eps and CTs during registration and
   maintenance, lookup clients, and RD servers during simple
   registrations) must be prepared to receive any unsuccessful code and
   act upon it according to its definition, options options, and/or payload to
   the best of their capabilities, falling back to failing the operation
   if recovery is not possible.  In particular, they SHOULD retry the
   request upon 5.03 (Service Unavailable; 503 in HTTP) according to the
   Max-Age (Retry-After in HTTP) option, option and SHOULD fall back to link-format link-
   format when receiving 4.15 (Unsupported Content-Format; 415 in HTTP).

   An RD MAY make the information submitted to it available to further
   directories (subject to security policies on link confidentiality), confidentiality) if
   it can ensure that a loop does not form.  The protocol used between
   directories to ensure loop-free operation is outside the scope of
   this document.

4.1.  Finding a Resource Directory

   A (re-)starting (re)starting device may want to find one or more RDs before it can
   discover their URIs.  Dependent on the operational conditions, one or
   more of the techniques below apply.

   The device may be pre-configured preconfigured to exercise specific mechanisms for
   finding the RD:

   1.  It may be configured with a specific IP address for the RD.  That
       IP address may also be an anycast address, allowing the network
       to forward RD requests to an RD that is topologically close; each
       target network environment in which some of these preconfigured
       nodes are to be brought up is then configured with a route for
       this anycast address that leads to an appropriate RD.  (Instead
       of using an anycast address, a multicast address can also be
       preconfigured.  The RD servers then need to configure one of
       their interfaces with this multicast address.)

   2.  It may be configured with a DNS name for the RD and use DNS to
       return the IP address of the RD; it can find a DNS server to
       perform the lookup using the usual mechanisms for finding DNS
       servers.

   3.  It may be configured to use a service discovery mechanism mechanism, such
       as
       DNS-SD, DNS-based Service Discovery (DNS-SD), as outlined in
       Section 4.1.2.

   For cases where the device is not specifically configured with a way
   to find an RD, the network may want to provide a suitable default.

   1.  The IPv6 Neighbor Discovery option RDAO Section 4.1.1 (Section 4.1.1) can do
       that.

   2.  When DHCP is in use, this could be provided via a DHCP option (no
       such option is defined at the time of writing).

   Finally, if neither the device nor the network offers any specific
   configuration, the device may want to employ heuristics to find a
   suitable RD.

   The present specification does not fully define these heuristics, heuristics but
   suggests a number of candidates:

   1.  In a 6LoWPAN, just assume the Border Router border router (6LBR) can act as an
       RD (using the ABRO option Authoritative Border Router Option (ABRO) to find
       that [RFC6775]).  Confirmation can be obtained by sending a
       unicast to coap://[6LBR]/.well-
       known/core?rt=core.rd*. coap://[6LBR]/.well-known/core?rt=core.rd*.

   2.  In a network that supports multicast well, discovering discover the RD using
       a multicast query for /.well-known/core /.well-known/core, as specified in CoRE
       Link Format [RFC6690]: Sending [RFC6690], and send a Multicast GET to
       coap://[MCD1]/.well-known/core?rt=core.rd*.
       coap://[ff0x::fe]/.well-known/core?rt=core.rd*.  RDs within the
       multicast scope will answer the query.

   When answering a multicast request directed at a link-local group,
   the RD may want to respond from a routable address; this makes it
   easier for registrants to use one of their own routable addresses for
   registration.  When [RFC6724] is used for source address selection,
   this can be achieved by applying the changes of its Section 10.4,
   picking public addresses in Rule 7 of its Section 5 Rule 7, 5, and superseding
   rule
   Rule 8 with preferring the source address's precedence.

   As some of the RD addresses obtained by the methods listed here are
   just (more or less educated) guesses, endpoints MUST make use of any
   error messages to very strictly rate-limit requests to candidate IP
   addresses that don't work out.  For example, an ICMP Destination
   Unreachable message (and, in particular, the port unreachable code
   for this message) may indicate the lack of a CoAP server on the
   candidate host, or a CoAP error response code code, such as 4.05 "Method (Method
   Not Allowed" Allowed), may indicate unwillingness of a CoAP server to act as a
   directory server.

   The following RD discovery mechanisms are recommended:

   *  In managed networks with border routers that need stand-alone
      operation, the RDAO option is recommended (e.g. (e.g., the operational
      phase described in Section 3.6).

   *  In managed networks without border router routers (no Internet services
      available), the use of a preconfigured anycast address is
      recommended (e.g. (e.g., the installation phase described in
      Section 3.6).

   *  In networks managed using DNS-SD, the use of DNS-SD for discovery discovery,
      as described in Section 4.1.2 4.1.2, is recommended.

   The use of multicast discovery in mesh networks is NOT RECOMMENDED.

4.1.1.  Resource Directory Address Option (RDAO)

   The Resource Directory Address Option (RDAO) carries information
   about the address of the RD in RAs (Router Advertisements) of IPv6
   Neighbor Discovery (ND), similar to how RDNSS Recursive DNS Server (RDNSS)
   options [RFC8106] are sent.  This information is needed when
   endpoints cannot discover the RD with a link-local or realm-local
   scope multicast address, for
   instance instance, because the endpoint and the
   RD are separated by a Border
   Router border router (6LBR).  In many circumstances circumstances,
   the availability of DHCP cannot be guaranteed either during commissioning of
   the network. network either.  The presence and the use of the RD is essential
   during commissioning.

   It is possible to send multiple RDAO options in one message,
   indicating as many RD addresses.

   The RDAO format is:

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |  Length = 3   |          Reserved             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                        Valid Lifetime                         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   +                                                               +
   |                                                               |
   +                          RD Address                           +
   |                                                               |
   +                                                               +
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                Figure 4: Resource Directory Address Option

   Fields:

   Type:                   TBD38             41

   Length:           8-bit unsigned integer.  The length of the option
                     in units of 8 bytes.  Always 3.

   Reserved:         This field is unused.  It MUST be initialized to
                     zero by the sender and MUST be ignored by the
                     receiver.

   Valid Lifetime:   32-bit unsigned integer.  The length of time in
                     seconds (relative to the time the packet is
                     received) that this RD address is valid.  A value
                     of all zero bits (0x0) indicates that this RD
                     address is not valid anymore.

   RD Address:       IPv6 address of the RD.

                Figure 4: Resource Directory Address Option

4.1.2.  Using DNS-SD to discover Discover a Resource Directory

   An RD can advertise its presence in DNS-SD [RFC6763] using the
   service name names defined in this document: _core-rd._udp (for CoAP),
   _core-rd-dtls._udp (for CoAP over DTLS), _core-rd._tcp (for CoAP over TCP)
   TCP), or _core-rd-tls._tcp (for CoAP over TLS) defined in this document. TLS).  (For the WebSocket
   transports of CoAP, no service is defined defined, as DNS-SD is typically
   unavailable in environments where CoAP over WebSockets is used). used.)

   The selection of the service indicates the protocol used, and the SRV
   record points the client to a host name and port to use as a starting
   point for the URI discovery steps of Section 4.3.

   This section is a simplified simplified, concrete application of the more
   generic mechanism specified in [I-D.ietf-core-rd-dns-sd]. [CORE-RD-DNS-SD].

4.2.  Payload Content Formats

   RDs implementing this specification MUST support the application/
   link-format content format (ct=40).

   RDs implementing this specification MAY support additional content
   formats.

   Any additional content format supported by an RD implementing this
   specification SHOULD be able to express all the information
   expressible in link-format.  It MAY be able to express information
   that is inexpressible in link-format, but those expressions SHOULD be
   avoided where possible.

4.3.  URI Discovery

   Before an endpoint can make use of an RD, it must first know the RD's
   address and port, port and the URI path information for its REST APIs.
   This section defines discovery of the RD and its URIs using the well-
   known interface of the CoRE Link Format [RFC6690] after having
   discovered a host host, as described in Section 4.1.

   Discovery of the RD registration URI is performed by sending either a
   multicast or unicast GET request to /.well-known/core and including a
   Resource Type
   resource type (rt) parameter [RFC6690] with the value "core.rd" in
   the query string.  Likewise, a Resource Type resource type parameter value of
   "core.rd-lookup*" is used to discover the URIs for RD Lookup lookup
   operations, and core.rd* is used to discover all URIs for RD
   operations.  Upon success, the response will contain a payload with a
   link format entry for each RD function discovered, indicating the URI
   of the RD function returned and the corresponding Resource Type. resource type.
   When performing multicast discovery, the multicast IP address used
   will depend on the scope required and the multicast capabilities of
   the network (see Section 9.5).

   An RD MAY provide hints about the content-formats it supports in the
   links it exposes or registers, using the "ct" target attribute, as
   shown in the example below.  Clients MAY use these hints to select
   alternate content-formats for interaction with the RD.

   HTTP does not support multicast and consequently multicast, and, consequently, only unicast
   discovery can be supported at the using the HTTP /.well-known/core resource.

   RDs implementing this specification MUST support query filtering for
   the rt parameter parameter, as defined in [RFC6690].

   While the link targets in this discovery step are often expressed in
   path-absolute form, this is not a requirement.  Clients of the RD
   SHOULD therefore accept URIs of all schemes they support, both as
   URIs and relative references, and not limit the set of discovered
   URIs to those hosted at the address used for URI discovery.

   With security policies where the client requires the RD to be
   authorized to act as an RD, that authorization may be limited to
   resources on which the authorized RD advertises the adequate resource
   types.  Clients that have obtained links they can not cannot rely on yet can
   repeat the URI discovery step at the /.well-known/core resource of
   the indicated host to obtain the resource type information from an
   authorized source.

   The URI Discovery discovery operation can yield multiple URIs of a given
   resource type.  The client of the RD can use any of the discovered
   addresses initially.

   The discovery request interface is specified as follows (this is
   exactly the Well-Known Interface well-known interface of [RFC6690] [RFC6690], Section 4, with the
   additional requirement that the server MUST support query filtering):

   Interaction:  EP, CT CT, or Client -> RD

   Method:  GET

   URI Template:  /.well-known/core{?rt}

   URI Template Variables:

      rt :=  Resource Type.  SHOULD contain one of the values "core.rd",
         "core.rd-lookup*", "core.rd-lookup-res", "core.rd-lookup-ep",
         or "core.rd*"

   Accept:  absent, application/link-format application/link-format, or any other media type
      representing web links

   The following response is expected on this interface:

   Success:  2.05 "Content" (Content) or 200 "OK" (OK) with an application/link-format
      or other web link payload containing one or more matching entries
      for the RD resource.

   The following example shows an endpoint discovering an RD using this
   interface, thus learning that the directory resource location, location in this example,
   example is /rd, /rd and that the content-format delivered by the server
   hosting the resource is application/link-format (ct=40).  Note that
   it is up to the RD to choose its RD locations.

   Req: GET coap://[MCD1]/.well-known/core?rt=core.rd* coap://[ff0x::fe]/.well-known/core?rt=core.rd*

   Res: 2.05 Content
   Payload:
   </rd>;rt=core.rd;ct=40,
   </rd-lookup/ep>;rt=core.rd-lookup-ep;ct=40,
   </rd-lookup/res>;rt=core.rd-lookup-res;ct=40

                    Figure 5: Example discovery exchange Discovery Exchange

   The following example shows the way of indicating that a client may
   request alternate content-formats.  The Content-Format code attribute
   "ct" MAY include a space-separated sequence of Content-Format codes codes,
   as specified in Section 7.2.1 of [RFC7252], indicating that multiple
   content-formats are available.  The example below shows the required
   Content-Format 40 (application/link-format) indicated indicated, as well as a
   CBOR
   Concise Binary Object Representation (CBOR) and JSON representation representations
   from [I-D.ietf-core-links-json] [CORE-LINKS-JSON] (which have no numeric values assigned yet, so
   they are shown as TBD64 and TBD504 as in that draft).  The RD
   resource locations /rd, /rd and /rd-
   lookup /rd-lookup are example values.  The server
   in this example also indicates that it is capable of providing
   observation on resource lookups.

   Req: GET coap://[MCD1]/.well-known/core?rt=core.rd* coap://[ff0x::fe]/.well-known/core?rt=core.rd*

   Res: 2.05 Content
   Payload:
   </rd>;rt=core.rd;ct="40 65225",
   </rd-lookup/res>;rt=core.rd-lookup-res;ct="40 TBD64 TBD504";obs,
   </rd-lookup/ep>;rt=core.rd-lookup-ep;ct="40 TBD64 TBD504"

         Figure 6: Example discovery exchange indicating additional
                              content-formats Discovery Exchange Indicating Additional
                              Content-Formats

   For maintenance, management management, and debugging, it can be useful to
   identify the components that constitute the RD server.  The
   identification can be used to find client-server incompatibilities,
   supported features, required updates updates, and other aspects.  The Well-
   Known well-
   known interface described in Section 4 of [RFC6690] can be used to
   find such data.

   It would typically be stored in an implementation information link
   (as described in [I-D.bormann-t2trg-rel-impl]): [T2TRG-REL-IMPL]).

   Req: GET /.well-known/core?rel=impl-info

   Res: 2.05 Content
   Payload:
   <http://software.example.com/shiny-resource-directory/1.0beta1>;
       rel=impl-info

           Figure 7: Example exchange Exchange of obtaining implementation
       information, using Obtaining Implementation
         Information Using the relation type currently proposed Relation Type Currently Proposed in the
                         work-in-progress document
                              [T2TRG-REL-IMPL]

   Note that that, depending on the particular server's architecture, such a
   link could be anchored at the RD server's root (as in this example), example)
   or at individual RD components.  The latter is to be expected when
   different applications are run on the same server.

5.  Registration

   After discovering the location of an RD, a registrant-ep or CT MAY
   register the resources of the registrant-ep using the registration
   interface.  This interface accepts a POST from an endpoint containing
   the list of resources to be added to the directory as the message
   payload in the CoRE Link Format [RFC6690] or other representations of
   web links, along with query parameters indicating the name of the
   endpoint, and optionally
   endpoint and, optionally, the sector, lifetime lifetime, and base URI of the
   registration.  It is expected that other specifications will define
   further parameters (see Section 9.3).  The RD then creates a new
   registration resource in the RD and returns its location.  The
   receiving endpoint MUST use that location when refreshing
   registrations using this interface.  Registration resources in the RD
   are kept active for the period indicated by the lifetime parameter.
   The creating endpoint is responsible for refreshing the registration
   resource within this period period, using either the registration or update
   interface.  The registration interface MUST be implemented to be
   idempotent, so that registering twice with the same endpoint
   parameters ep and d (sector) does not create multiple registration
   resources.

   The following rules apply for a registration request targeting a
   given (ep, d) value pair:

   *  When the (ep, d) value pair of the registration-request registration request is
      different from any existing registration, a new registration is
      generated.

   *  When the (ep, d) value pair of the registration-request registration request is equal
      to an existing registration, the content and parameters of the
      existing registration are replaced with the content of the
      registration request.  Like the later changes to registration
      resources, security policies (Section 7) usually require such
      requests to come from the same device.

   The posted link-format document can (and typically does) contain
   relative references both in its link targets and in its anchors, or anchors; it
   can also contain empty anchors.  The RD server needs to resolve these
   references in order to faithfully represent them in lookups.  They
   are resolved against the base URI of the registration, which is
   provided either explicitly in the base parameter or constructed
   implicitly from the requester's URI URI, as constructed from its network
   address and scheme.

   For media types to which Appendix C applies (i.e. (i.e., documents in
   application/link-format), request bodies MUST be expressed in Limited
   Link Format.

   The registration request interface is specified as follows:

   Interaction:  EP or CT -> RD

   Method:  POST

   URI Template:  {+rd}{?ep,d,lt,base,extra-attrs*}

   URI Template Variables:

      rd :=  RD registration URI (mandatory).  This is the location of
         the RD, as obtained from discovery.

      ep :=  Endpoint name (mostly mandatory).  The endpoint name is an
         identifier that MUST be unique within a sector.

         As the endpoint name is a Unicode string, it is encoded in
         UTF-8 (and possibly pct-encoded) encoded in pct) during variable expansion
         (see
         [RFC6570] [RFC6570], Section 3.2.1).  The endpoint name MUST NOT
         contain any character in the inclusive ranges 0-31 or 127-159.

         The maximum length of this parameter is 63 UTF-8 bytes encoded bytes. in
         UTF-8.

         If the RD is configured to recognize the endpoint that is to be
         authorized to use exactly one endpoint name, the RD assigns
         that name.  In that case, giving the endpoint name becomes
         optional for the client; if the client gives any other endpoint
         name, it is not authorized to perform the registration.

      d :=  Sector (optional).  The  This is the sector to which this
         endpoint belongs.  When this parameter is not present, the RD
         MAY associate the endpoint with a configured default sector
         (possibly based on the endpoint's authorization) or leave it
         empty.

         The sector is encoded like the ep parameter, parameter and is limited to
         63 UTF-8 encoded bytes encoded in UTF-8 as well.

      lt :=  Lifetime (optional).  Lifetime  This is the lifetime of the
         registration in seconds.  Range seconds, with a range of 1-4294967295.  If no
         lifetime is included in the initial registration, a default
         value of 90000 (25 hours) SHOULD be assumed.

      base :=  Base URI (optional).  This parameter sets the base URI of
         the registration, under which the relative links in the payload
         are to be interpreted.  The specified URI typically does not
         have a path component of its
         own, own and MUST be suitable as a base
         URI to resolve any relative references given in the
         registration.  The parameter is therefore usually of the shape
         "scheme://authority" for HTTP and CoAP URIs.  The URI SHOULD
         NOT have a query or fragment
         component component, as any non-empty
         relative part in a reference would remove those parts from the
         resulting URI.

         In the absence of this parameter parameter, the scheme of the protocol,
         source address address, and source port of the registration request are
         assumed.  The Base base URI is consecutively constructed by
         concatenating the used protocol's scheme with the characters
         "://", the requester's source address as an address literal literal,
         and ":" followed by its port (if it was not the protocol's
         default
         one) in analogy one).  This is analogous to [RFC7252] the process described in
         [RFC7252], Section 6.5.

         This parameter is mandatory when the directory is filled by a
         third party party, such as an a commissioning tool.

         If the registrant-ep uses an ephemeral port to register with,
         it MUST include the base parameter in the registration to
         provide a valid network path.

         A registrant that cannot be reached by potential lookup clients
         at the address it registers from (e.g. (e.g., because it is behind
         some form of Network Address Translation (NAT)) MUST provide a
         reachable base address with its registration.

         If the Base base URI contains a link-local IP literal, it MUST NOT
         contain a Zone Identifier, Identifier and MUST be local to the link on
         which the registration request is received.

         Endpoints that register with a base that contains a path
         component cannot efficiently express their registrations in
         Limited Link Format (Appendix C).  Those applications should
         use different representations of links to which Appendix C is
         not applicable (e.g.  [I-D.hartke-t2trg-coral]). (e.g., [CORE-CORAL]).

      extra-attrs :=  Additional registration attributes (optional).
         The endpoint can pass any parameter registered at in Section 9.3
         to the directory.  If the RD is aware of the parameter's
         specified semantics, it processes it accordingly.  Otherwise,
         it MUST store the unknown key and its value(s) as an endpoint
         attribute for further lookup.

   Content-Format:  application/link-format or any other indicated media
      type representing web links

   The following response is expected on this interface:

   Success:  2.01 "Created" (Created) or 201 "Created". (Created).  The Location-Path option
      or Location header field MUST be included in the response.  This
      location MUST be a stable identifier generated by the RD RD, as it is
      used for all subsequent operations on this registration resource.
      The registration resource location thus returned is for the
      purpose of updating the lifetime of the registration and for
      maintaining the content of the registered links, including
      updating and deleting links.

      A registration with an already registered already-registered ep and d value pair
      responds with the same success code and location as the original
      registration; the set of links registered with the endpoint is
      replaced with the links from the payload.

      The location MUST NOT have a query or fragment component, as that
      could conflict with query parameters during the Registration
      Update registration
      update operation.  Therefore, the Location-Query option MUST NOT
      be present in a successful response.

   If the registration fails, including request timeouts, or if delays
   from Service Unavailable responses with Max-Age or Retry-After
   accumulate to exceed the registrant's configured timeouts, it SHOULD
   pick another registration URI from the "URI Discovery" step and step, and, if
   there is only one or the list is exhausted, pick other choices from
   the "Finding a Resource Directory" step.  Care has to be taken to
   consider the freshness of results obtained earlier, e.g. of e.g., the result
   of a /.well-known/core response, the lifetime of an RDAO
   option option, and of
   DNS responses.  Any rate limits and persistent errors from the
   "Finding a Resource Directory" step must be considered for the whole
   registration time, not only for a single operation.

   The following example shows a registrant-ep with the name "node1"
   registering two resources to an RD using this interface.  The
   location "/rd" is an example RD location discovered in a request
   similar to Figure 5.

   Req: POST coap://rd.example.com/rd?ep=node1
   Content-Format: 40
   Payload:
   </sensors/temp>;rt=temperature-c;if=sensor,
   <http://www.example.com/sensors/temp>;
     anchor="/sensors/temp";rel=describedby

   Res: 2.01 Created
   Location-Path: /rd/4521

                   Figure 8: Example registration payload Registration Payload

   An RD may optionally support HTTP.  Here is an example of almost the
   same registration operation above, above when done using HTTP.

   Req:
   POST /rd?ep=node1&base=http://[2001:db8:1::1] HTTP/1.1
   Host: rd.example.com
   Content-Type: application/link-format

   </sensors/temp>;rt=temperature-c;if=sensor,
   <http://www.example.com/sensors/temp>;
     anchor="/sensors/temp";rel=describedby

   Res:
   HTTP/1.1 201 Created
   Location: /rd/4521

       Figure 9: Example registration payload Registration Payload as expressed using Expressed Using HTTP

5.1.  Simple Registration

   Not all endpoints hosting resources are expected to know how to
   upload links to an RD RD, as described in Section 5.  Instead, simple
   endpoints can implement the Simple Registration simple registration approach described in
   this section.  An RD implementing this specification MUST implement
   Simple Registration.
   simple registration.  However, there may be security reasons why this
   form of directory discovery would be disabled.

   This approach requires that the registrant-ep makes available the
   hosted resources that it wants to be discovered, discovered as links on its
   /.well-known/core interface interface, as specified in [RFC6690].  The links in
   that document are subject to the same limitations as the payload of a
   registration (with respect to Appendix C).

   *  The registrant-ep finds one or more addresses of the directory
      server
      server, as described in Section 4.1.

   *  The registrant-ep sends (and regularly refreshes with) a POST
      request to the /.well-known/rd URI of the directory server of
      choice.  The body of the POST request is empty, empty and triggers the
      resource directory server to perform GET requests at the
      requesting registrant-ep's /.well-known/core to obtain the link-
      format payload to register.

      The registrant-ep includes the same registration parameters in the
      POST request as it would with a regular registration registration, per
      Section 5.  The registration base URI of the registration is taken
      from the registrant-ep's network address (as is default with
      regular registrations).

      Example

      The following is an example request from registrant-EP the registrant-ep to the
      RD (unanswered until the next step):

      Req: POST /.well-known/rd?lt=6000&ep=node1
      (No payload)

       Figure 10: First half example exchange First-Half Example Exchange of a simple registration Simple Registration

   *  The RD queries the registrant-ep's discovery resource to determine
      the success of the operation.  It SHOULD keep a cache of the
      discovery resource and not query it again as long as it is fresh.

      Example

      The following is an example request from the RD to the registrant-EP: registrant-
      ep:

      Req: GET /.well-known/core
      Accept: 40

      Res: 2.05 Content
      Content-Format: 40
      Payload:
      </sen/temp>

      Figure 11: Example exchange Exchange of the RD querying Querying the simple endpoint Simple Endpoint

   With this response, the RD would answer the previous step's request:

   Res: 2.04 Changed

      Figure 12: Second half example exchange Second-Half Example Exchange of a simple registration Simple Registration

   The sequence of fetching the registration content before sending a
   successful response was chosen to make responses reliable, and the
   point about caching was chosen to still allow very constrained
   registrants.  Registrants MUST be able to serve a GET request to
   /.well-known/core after having requested registration.  Constrained
   devices MAY regard the initial request as temporarily failed when
   they need RAM occupied by their own request to serve the RD's GET, GET and
   retry later when the RD already has a cached representation of their
   discovery resources.  Then, the RD can reply immediately immediately, and the
   registrant can receive the response.

   The simple registration request interface is specified as follows:

   Interaction:  EP -> RD

   Method:  POST

   URI Template:  /.well-known/rd{?ep,d,lt,extra-attrs*}

   URI Template Variables are the same as they are for registration in Section 5.
   The base attribute is not accepted to keep the registration interface
   simple; that rules out registration over CoAP-over-TCP or HTTP that
   would need to specify one.  For some time during this document's
   development, the URI template Template /.well-known/core{?ep,...} has been was in use
   instead.

   The following response is expected on this interface:

   Success:  2.04 "Changed". (Changed)

   For the second interaction triggered by the above, the registrant-ep
   takes the role of server and the RD takes the role of client.  (Note
   that this is exactly the Well-Known Interface well-known interface of [RFC6690] [RFC6690],
   Section 4):

   Interaction:  RD -> EP

   Method:  GET

   URI Template:  /.well-known/core

   The following response is expected on this interface:

   Success:  2.05 "Content". (Content)

   When the RD uses any authorization credentials to access the
   endpoint's discovery resource, resource or when it is deployed in a location
   where third parties might reach it but not the endpoint, it SHOULD
   verify that the apparent registrant-ep intends to register with the
   given registration parameters before revealing the obtained discovery
   information to lookup clients.  An easy way to do that is to verify
   the simple registration request's sender address using the Echo
   option
   option, as described in [I-D.ietf-core-echo-request-tag] [RFC9175], Section 2.4.

   The RD MUST delete registrations created by simple registration after
   the expiration of their lifetime.  Additional operations on the
   registration resource cannot be executed because no registration
   location is returned.

5.2.  Third-party registration  Third-Party Registration

   For some applications, even Simple Registration simple registration may be too taxing for
   some very constrained devices, in particular particular, if the security
   requirements become too onerous.

   In a controlled environment (e.g. (e.g., building control), the RD can be
   filled by a third party third-party device, called a Commissioning Tool (CT).
   The commissioning tool CT can fill the RD from a database or other means.  For that
   purpose scheme, the IP address and port of the URI of the registered
   device is the value of the "base" parameter of the registration
   described in Section 5.

   It should be noted that the value of the "base" parameter applies to
   all the links of the registration and has consequences for the anchor
   value of the individual links links, as exemplified in Appendix B.  An
   eventual (currently non-existing) nonexistent) "base" attribute of the link is not
   affected by the value of "base" parameter in the registration.

5.3.  Operations on the Registration Resource

   This section describes how the registering endpoint can maintain the
   registrations that it created.  The registering endpoint can be the
   registrant-ep or the CT.  The registrations are resources of the RD.

   An endpoint should not use this interface for registrations that it
   did not create.  This is usually enforced by security policies, which
   which, in general general, require equivalent credentials for creation of and
   operations on a registration.

   After the initial registration, the registering endpoint retains the
   returned location of the registration resource for further
   operations, including refreshing the registration in order to extend
   the lifetime and "keep-alive" the registration.  When the lifetime of
   the registration has expired, the RD SHOULD NOT respond to discovery
   queries concerning this endpoint.  The RD SHOULD continue to provide
   access to the registration resource after a registration time-out timeout
   occurs in order to enable the registering endpoint to eventually
   refresh the registration.  The RD MAY eventually remove the
   registration resource for the purpose of garbage collection.  If the
   registration resource is removed, the corresponding endpoint will
   need to be re-registered. reregistered.

   The registration resource may also be used to cancel the registration
   using DELETE, DELETE and to perform further operations beyond the scope of
   this specification.

   Operations on the registration resource are sensitive to reordering;
   Section 5.3.4 describes how order is restored.

   The operations on the registration resource are described below.

5.3.1.  Registration Update

   The update interface is used by the registering endpoint to refresh
   or update its registration with an RD.  To use the interface, the
   registering endpoint sends a POST request to the registration
   resource returned by the initial registration operation.

   An update MAY update registration parameters like lifetime, base URI URI,
   or others.  Parameters that are not being changed should not be
   included in an update.  Adding parameters that have not changed
   increases the size of the message but does not have any other
   implications.  Parameters are included as query parameters in an
   update operation operation, as in Section 5.

   A registration update resets the timeout of the registration to the
   (possibly updated) lifetime of the registration, independent of
   whether a an lt parameter was given.

   If the base URI of the registration is changed in an update, relative
   references submitted in the original registration or later updates
   are resolved anew against the new base.

   The registration update operation only describes the use of POST with
   an empty payload.  Future standards might describe the semantics of
   using content formats and payloads with the POST method to update the
   links of a registration (see Section 5.3.3).

   The update registration request interface is specified as follows:

   Interaction:  EP or CT -> RD

   Method:  POST

   URI Template:  {+location}{?lt,base,extra-attrs*}

   URI Template Variables:

      location :=  This is the Location location returned by the RD as a result
         of a successful earlier registration.

      lt :=  Lifetime (optional).  Lifetime  This is the lifetime of the
         registration in seconds.  Range seconds, with a range of 1-4294967295.  If no
         lifetime is included, the previous last lifetime set on a
         previous update or the original registration (falling back to
         90000) SHOULD be used.

      base :=  Base URI (optional).  This parameter updates the Base base URI
         established in the original registration to a new value, value and is
         subject to the same restrictions as in the registration.

         If the parameter is set in an update, it is stored by the RD as
         the new Base base URI under which to interpret the relative links
         present in the payload of the original registration.

         If the parameter is not set in the request but was set before,
         the previous Base base URI value is kept unmodified.

         If the parameter is not set in the request and was not set
         before either, the source address and source port of the update
         request are stored as the Base base URI.

      extra-attrs :=  Additional registration attributes (optional).  As
         with the registration, the RD processes them if it knows their
         semantics.  Otherwise, unknown attributes are stored as
         endpoint attributes, overriding any previously stored endpoint
         attributes of the same key.

         Note that this default behavior does not allow removing an
         endpoint attribute in an update.  For attributes whose
         functionality depends on the endpoints' ability to remove them
         in an update, it can make sense to define a value whose
         presence is equivalent to the absence of a value.  As an
         alternative, an extension can define different updating rules
         for their attributes.  That necessitates either discovery of discovering
         whether the RD is aware of that extension, extension or tolerating the
         default behavior.

   Content-Format:  none (no payload)

   The following responses are expected on this interface:

   Success:  2.04 "Changed" (Changed) or 204 "No Content" (No Content) if the update was
      successfully processed.

   Failure:  4.04 "Not Found" (Not Found) or 404 "Not Found". (Not Found).  Registration does not
      exist (e.g. (e.g., may have been removed).

   If the registration update fails in any way, including "Not Found"
   and request timeouts, or if the time indicated in a Service
   Unavailable Max-Age/Retry-After exceeds the remaining lifetime, the
   registering endpoint SHOULD attempt registration again.

   The following example shows how the registering endpoint resets the
   timeout on its registration resource at an RD using this interface
   with the example location value: /rd/4521. value /rd/4521:

   Req: POST /rd/4521

   Res: 2.04 Changed

                Figure 13: Example update Update of a registration Registration

   The following example shows the registering endpoint updating its
   registration resource at an RD using this interface with the example
   location value: value /rd/4521.  The initial registration by the registering
   endpoint set the following values:

   *  endpoint name (ep)=endpoint1

   *  lifetime (lt)=500

   *  Base  base URI (base)=coap://local-proxy-old.example.com

   *  payload of Figure 8

   The initial state of the RD is reflected in the following request:

   Req: GET /rd-lookup/res?ep=endpoint1

   Res: 2.05 Content
   Payload:
   <coap://local-proxy-old.example.com/sensors/temp>;
       rt=temperature-c;if=sensor,
   <http://www.example.com/sensors/temp>;
       anchor="coap://local-proxy-old.example.com/sensors/temp";
       rel=describedby

       Figure 14: Example lookup before Lookup Before a change Change to the base address Base Address

   The following example shows the registering endpoint changing the
   Base
   base URI to coaps://new.example.com:5684:

   Req: POST /rd/4521?base=coaps://new.example.com

   Res: 2.04 Changed

    Figure 15: Example registration update Registration Update that changes Changes the base address Base Address

   The consecutive query returns:

   Req: GET /rd-lookup/res?ep=endpoint1

   Res: 2.05 Content
   Payload:
   <coaps://new.example.com/sensors/temp>;
       rt=temperature-c;if=sensor,
   <http://www.example.com/sensors/temp>;
       anchor="coaps://new.example.com/sensors/temp";
       rel=describedby

        Figure 16: Example lookup after Lookup After a change Change to the base address Base Address

5.3.2.  Registration Removal

   Although RD registrations have soft state and will eventually timeout time
   out after their lifetime, the registering endpoint SHOULD explicitly
   remove an entry from the RD if it knows it will no longer be
   available (for example example, on shut-down). shutdown).  This is accomplished using a
   removal interface on the RD by performing a DELETE on the endpoint
   resource.

   The removal request interface is specified as follows:

   Interaction:  EP or CT -> RD

   Method:  DELETE

   URI Template:  {+location}

   URI Template Variables:

      location :=  This is the Location location returned by the RD as a result
         of a successful earlier registration.

   The following responses are expected on this interface:

   Success:  2.02 "Deleted" (Deleted) or 204 "No Content" (No Content) upon successful deletion
      deletion.

   Failure:  4.04 "Not Found" (Not Found) or 404 "Not Found". (Not Found).  Registration does not
      exist (e.g. (e.g., may already have been removed).

   The following examples example shows successful removal of the endpoint from
   the RD with example location value /rd/4521. /rd/4521:

   Req: DELETE /rd/4521

   Res: 2.02 Deleted

                Figure 17: Example of a registration removal Registration Removal

5.3.3.  Further operations Operations

   Additional operations on the registration can be specified in future
   documents, for example:

   *  Send iPATCH (or PATCH) updates ([RFC8132]) [RFC8132] to add, remove remove, or change
      the links of a registration.

   *  Use GET to read the currently stored set of links in a
      registration resource.

   Those operations are out of scope of this document, document and will require
   media types suitable for modifying sets of links.

5.3.4.  Request freshness Freshness

   Some security mechanisms usable with an RD allow out of order out-of-order request
   processing,
   processing or do not even mandate replay protection at all.  The RD
   needs to ensure that operations on the registration resource are
   executed in an order that does not distort the client's intentions.

   This ordering of operations is expressed in terms of freshness freshness, as
   defined in [I-D.ietf-core-echo-request-tag]. [RFC9175].  Requests that alter a resource's state need to
   be fresh relative to the latest request that altered that state in a
   conflicting way.

   An RD SHOULD determine a request's freshness, freshness and MUST use the Echo
   option if it requires request freshness and can not cannot determine the it in
   any other way.  An endpoint MUST support the use of the Echo option.
   (One reason why an RD would not require freshness is when no relevant
   registration properties are covered by is security policies.)

5.3.4.1.  Efficient use Use of Echo by an RD

   To keep latency and traffic added by the freshness requirements to a
   minimum, RDs should avoid naive (sufficient but inefficient)
   freshness criteria.

   Some simple mechanisms the RD can employ are:

   *  State counter.  The RD can keep a monotonous counter that
      increments whenever a registration changes.  For every
      registration resource, it stores the post-increment value of that
      resource's last change.  Requests altering them need to have at
      least that value encoded in their Echo option, option and are otherwise
      rejected with a 4.01 Unauthorized (Unauthorized) and the current counter value
      as the Echo value.  If other applications on the same server use
      Echo as well, that encoding may include a prefix indicating that
      it pertains to the RD's counter.

      The value associated with a resource needs to be kept across the
      removal of registrations if the same registration resource is to
      be reused.

      The counter can be reset (and the values of removed resources
      forgotten) when all previous security associations are reset.

      This is the "Persistent Counter" method of
      [I-D.ietf-core-echo-request-tag] [RFC9175], Appendix A.

   *  Preemptive Echo values.  The current state counter can be sent in
      an Echo option not only when requests are rejected with 4.01
      Unauthorized,
      (Unauthorized) but also with successful responses.  Thus, clients
      can be provided with Echo values sufficient for their next request
      on a regular basis.

      While endpoints may discard received Echo values at leisure
      between requests, they are encouraged to retain these values for
      the next request to avoid additional round trips.

   *  If the RD can ensure that only one security association has
      modifying access to any registration at any given time, time and that
      security association provides order on the requests, that order is
      sufficient to show request freshness.

5.3.4.2.  Examples of Echo usage Usage

   Figure 18 shows the interactions of an endpoint that has forgotten
   the server's latest Echo value and temporarily reduces its
   registration lifetime:

   Req: POST /rd/4521?lt=7200

   Res: 4.01 Unauthorized
   Echo: 0x0123

   (EP tries again immediately) immediately.)

   Req: POST /rd/4521?lt=7200
   Echo: 0x0123

   Res: 2.04 Changed
   Echo: 0x0124

   (Later

   (Later, the EP regains its confidence in its long-term reachability) reachability.)

   Req: POST /rd/4521?lt=90000
   Echo: 0x0124

   Res: 2.04 Changed
   Echo: 0x0247

                Figure 18: Example update Update of a registration Registration

   The other examples do not show Echo options for simplicity, and
   because they lack the context for any example values to have meaning.

6.  RD Lookup

   To discover the resources registered with the RD, a lookup interface
   must be provided.  This lookup interface is defined as a default, and
   it is assumed that RDs may also support lookups to return resource
   descriptions in alternative formats (e.g. (e.g., JSON or CBOR link format
   [I-D.ietf-core-links-json])
   [CORE-LINKS-JSON]) or using use more advanced interfaces (e.g. (e.g., supporting context
   context- or semantic based semantic-based lookup) on different resources that are
   discovered independently.

   RD Lookup lookup allows lookups for endpoints and resources using attributes
   defined in this document and for use with the CoRE Link Format.  The
   result of a lookup request is the list of links (if any)
   corresponding to the type of lookup.  Thus, an endpoint lookup MUST
   return a list of endpoints endpoints, and a resource lookup MUST return a list
   of links to resources.

   The lookup type is selected by a URI endpoint, which is indicated by
   a Resource Type resource type, as per Table 1 below: 1:

             +=============+====================+===========+
             | Lookup Type | Resource Type      | Mandatory |
             +=============+====================+===========+
             | Resource    | core.rd-lookup-res | Mandatory |
             +-------------+--------------------+-----------+
             | Endpoint    | core.rd-lookup-ep  | Mandatory |
             +-------------+--------------------+-----------+

                          Table 1: Lookup Types

6.1.  Resource lookup Lookup

   Resource lookup results in links that are semantically equivalent to
   the links submitted to the RD by the registrant.  The links and link
   parameters returned by the lookup are equal to the originally
   submitted ones, except that the target reference is fully resolved, resolved
   and that the anchor reference is fully resolved if it is present in
   the lookup result at all.

   Links that did not have an anchor attribute in the registration are
   returned without an anchor attribute.  Links of which href or anchor
   was submitted as a (full) URI are returned with the respective
   attribute unmodified.

   The above rules allow the client to interpret the response as links
   without any further knowledge of the storage conventions of the RD.
   The RD MAY replace the registration base URIs with a configured
   intermediate proxy, e.g. e.g., in the case of an HTTP lookup interface for
   CoAP endpoints.

   If the base URI of a registration contains a link-local address, the
   RD MUST NOT show its links unless the lookup was made from the link
   on which the registered endpoint can be reached.  The RD MUST NOT
   include zone identifiers in the resolved URIs.

6.2.  Lookup filtering Filtering

   Using the Accept Option, option, the requester can control whether the
   returned list is returned in CoRE Link Format (application/link-
   format, default) or in alternate content-formats (e.g. (e.g., from
   [I-D.ietf-core-links-json]).
   [CORE-LINKS-JSON]).

   Multiple search criteria MAY be included in a lookup.  All included
   criteria MUST match for a link to be returned.  The RD MUST support
   matching with multiple search criteria.

   A link matches a search criterion if it has an attribute of the same
   name and the same value, allowing for a trailing "*" wildcard
   operator
   operator, as in Section 4.1 of [RFC6690].  Attributes that are
   defined as relation-types (in the link-format ABNF) match if the
   search value matches any of their values (see Section 4.1 of
   [RFC6690]; e.g. for example, ?if=tag:example.net,2020:sensor matches
   ;if="example.regname
   tag:example.net,2020:sensor";). tag:example.net,2020:sensor";.  A resource link
   also matches a search criterion if its endpoint would match the
   criterion, and vice versa, an endpoint link matches a search
   criterion if any of its resource links matches it.

   Note that href is a valid search criterion and matches target
   references.  Like all search criteria, on a resource lookup lookup, it can
   match the target reference of the resource link itself, itself but also the
   registration resource of the endpoint that registered it.  Queries
   for resource link targets MUST be in URI form (i.e. (i.e., not relative
   references) and are matched against a resolved link target.  Queries
   for endpoints SHOULD be expressed in path-absolute form if possible
   and MUST be expressed in URI form otherwise; the RD SHOULD recognize
   either.  The anchor attribute is usable for resource lookups, lookups and, if
   queried, MUST be in URI form as well.

   Additional query parameters "page" and "count" are used to obtain
   lookup results in specified increments using pagination, where count
   specifies how many links to return and page specifies which subset of
   links organized in sequential pages, each containing 'count' links,
   starting with link zero and page zero.  Thus, specifying a count of
   10 and page of 0 will return the first 10 links in the result set
   (links 0-9).  Count =  Specifying a count of 10 and page = of 1 will return the
   next 'page' containing links 10-19, and so on.  Unlike block-wise
   transfer of a compelte complete result set, these parameters ensure that each
   chunk of results can be interpreted on its own.  This simplifies the processing,
   processing but can result in duplicate or missed items when
   coinciding with changes from the registration interface.

   Endpoints that are interested in a lookup result repeatedly or
   continuously can use mechanisms like ETag caching, resource
   observation ([RFC7641]), [RFC7641], or any future mechanism that might allow more
   efficient observations of collections.  These are advertised,
   detected
   detected, and used according to their own specifications and can be
   used with the lookup interface as with any other resource.

   When resource observation is used, every time the set of matching
   links changes, changes or the content of a matching link changes, the RD sends
   a notification with the matching link set.  The notification contains
   the successful current response to the given request, especially with
   respect to representing zero matching links (see "Success" item
   below).

   The lookup interface is specified as follows:

   Interaction:  Client -> RD

   Method:  GET

   URI Template:  {+type-lookup-location}{?page,count,search*}

   URI Template Variables:

      type-lookup-location :=  RD Lookup lookup URI for a given lookup type
         (mandatory).  The address is discovered as described in
         Section 4.3.

      search :=  Search criteria for limiting the number of results
         (optional).  The search criteria are an associative array,
         expressed in a form-style query query, as per the URI template Template (see [RFC6570]
         [RFC6570], Sections 2.4.2 and 3.2.8) 3.2.8).

      page :=  Page (optional).  Parameter  This parameter cannot be used without
         the count parameter.  Results are returned from result set in
         pages that contain 'count' links starting from index (page *
         count).  Page numbering starts with zero.

      count :=  Count (optional).  Number  The number of results is limited to
         this parameter value.  If the page parameter is also present,
         the response MUST only include 'count' links starting with the
         (page * count) link in the result set from the query.  If the
         count parameter is not present, then the response MUST return
         all matching links in the result set.  Link numbering starts
         with zero.

   Accept:  absent, application/link-format application/link-format, or any other indicated
      media type representing web links

   The following responses codes are defined for this interface:

   Success:  2.05 "Content" (Content) or 200 "OK" (OK) with an application/link-format
      or other web link payload containing matching entries for the
      lookup.

      The payload can contain zero links (which is an empty payload in
      [RFC6690]
      the link format, format described in [RFC6690] but could also be [] in JSON based
      JSON-based formats), indicating that no entities matched the
      request.

6.3.  Resource lookup examples Lookup Examples

   The examples in this section assume the existence of CoAP hosts with
   a default CoAP port 61616.  HTTP hosts are possible and do not change
   the nature of the examples.

   The following example shows a client performing a resource lookup
   with the example resource look-up lookup locations discovered in Figure 5:

   Req: GET /rd-lookup/res?rt=tag:example.org,2020:temperature

   Res: 2.05 Content
   Payload:
   <coap://[2001:db8:3::123]:61616/temp>;
       rt="tag:example.org,2020:temperature"

                  Figure 19: Example of a resource lookup Resource Lookup

   A client that wants to be notified of new resources as they show up
   can use this observation:

   Req: GET /rd-lookup/res?rt=tag:example.org,2020:light
   Observe: 0

   Res: 2.05 Content
   Observe: 23
   Payload: empty

   (at a later point in time)

   Res: 2.05 Content
   Observe: 24
   Payload:
   <coap://[2001:db8:3::124]/west>;rt="tag:example.org,2020:light",
   <coap://[2001:db8:3::124]/south>;rt="tag:example.org,2020:light",
   <coap://[2001:db8:3::124]/east>;rt="tag:example.org,2020:light"

             Figure 20: Example of an observing resource lookup Observing Resource Lookup

   The following example shows a client performing a paginated resource
   lookup
   lookup:

   Req: GET /rd-lookup/res?page=0&count=5

   Res: 2.05 Content
   Payload:
   <coap://[2001:db8:3::123]:61616/res/0>;ct=60,
   <coap://[2001:db8:3::123]:61616/res/1>;ct=60,
   <coap://[2001:db8:3::123]:61616/res/2>;ct=60,
   <coap://[2001:db8:3::123]:61616/res/3>;ct=60,
   <coap://[2001:db8:3::123]:61616/res/4>;ct=60

   Req: GET /rd-lookup/res?page=1&count=5

   Res: 2.05 Content
   Payload:
   <coap://[2001:db8:3::123]:61616/res/5>;ct=60,
   <coap://[2001:db8:3::123]:61616/res/6>;ct=60,
   <coap://[2001:db8:3::123]:61616/res/7>;ct=60,
   <coap://[2001:db8:3::123]:61616/res/8>;ct=60,
   <coap://[2001:db8:3::123]:61616/res/9>;ct=60

              Figure 21: Examples Example of paginated resource lookup Paginated Resource Lookup

   The following example shows a client performing a lookup of all
   resources of all endpoints of a given endpoint type.  It assumes that
   two endpoints (with endpoint names sensor1 and sensor2) have
   previously registered with their respective addresses
   coap://sensor1.example.com
   (coap://sensor1.example.com and coap://sensor2.example.com, coap://sensor2.example.com) and
   posted the very payload of the 6th response of section Section 5 of
   [RFC6690].

   It demonstrates how absolute link targets stay unmodified, while
   relative ones are resolved:

   Req: GET /rd-lookup/res?et=tag:example.com,2020:platform

   Res: 2.05 Content
   Payload:
   <coap://sensor1.example.com/sensors>;ct=40;title="Sensor Index",
   <coap://sensor1.example.com/sensors/temp>;rt=temperature-c;if=sensor,
   <coap://sensor1.example.com/sensors/light>;rt=light-lux;if=sensor,
   <http://www.example.com/sensors/t123>;rel=describedby;
       anchor="coap://sensor1.example.com/sensors/temp",
   <coap://sensor1.example.com/t>;rel=alternate;
       anchor="coap://sensor1.example.com/sensors/temp",
   <coap://sensor2.example.com/sensors>;ct=40;title="Sensor Index",
   <coap://sensor2.example.com/sensors/temp>;rt=temperature-c;if=sensor,
   <coap://sensor2.example.com/sensors/light>;rt=light-lux;if=sensor,
   <http://www.example.com/sensors/t123>;rel=describedby;
       anchor="coap://sensor2.example.com/sensors/temp",
   <coap://sensor2.example.com/t>;rel=alternate;
       anchor="coap://sensor2.example.com/sensors/temp"

      Figure 22: Example of resource lookup a Resource Lookup from multiple endpoints Multiple Endpoints

6.4.  Endpoint lookup Lookup

   The endpoint lookup returns links to and information about
   registration resources, which themselves can only be manipulated by
   the registering endpoint.

   Endpoint registration resources are annotated with their endpoint
   names (ep), sectors (d, if present) present), and registration base URI (base;
   reports the registrant-ep's address if no explicit base was given) given),
   as well as a constant resource type (rt="core.rd-ep"); the lifetime
   (lt) is not reported.  Additional endpoint attributes are added as
   target attributes to their endpoint link unless their specification
   says otherwise.

   Links to endpoints SHOULD be presented in path-absolute form or, if
   required, as (full) URIs.  (This ensures that the output conforms to
   Limited Link Format Format, as described in Appendix C.)

   Base addresses that contain link-local addresses MUST NOT include
   zone identifiers, and such registrations MUST NOT be shown unless the
   lookup was made from the same link from which the registration was
   made.

   While Endpoint Lookup the endpoint lookup does expose the registration resources, the
   RD does not need to make them accessible to clients.  Clients SHOULD
   NOT attempt to dereference or manipulate them.

   An RD can report registrations in lookup lookups whose URI scheme and
   authority differ from the lookup resource's.  Lookup clients MUST be
   prepared to see arbitrary URIs as registration resources in the
   results and treat them as opaque identifiers; the precise semantics
   of such links are left to future specifications.

   The following example shows a client performing an endpoint lookup
   that is limited to endpoints of endpoint type
   tag:example.com,2020:platform:

   Req: GET /rd-lookup/ep?et=tag:example.com,2020:platform

   Res: 2.05 Content
   Payload:
   </rd/1234>;base="coap://[2001:db8:3::127]:61616";ep=node5;
       et="tag:example.com,2020:platform";ct=40;rt=core.rd-ep,
   </rd/4521>;base="coap://[2001:db8:3::129]:61616";ep=node7;
       et="tag:example.com,2020:platform";ct=40;d=floor-3;
       rt=core.rd-ep

                   Figure 23: Examples Example of endpoint lookup Endpoint Lookup

7.  Security policies Policies

   The security policies that are applicable to an RD strongly depend on
   the application, application and are not set out normatively here.

   This section provides a list of aspects that applications should
   consider when describing their use of the RD, without claiming to
   cover all cases.  It is using uses terminology of
   [I-D.ietf-ace-oauth-authz], [ACE-OAUTH-AUTHZ], in which
   the RD acts as the Resource Server (RS), and both registrant-eps and
   lookup clients act as Clients (C) with support from an Authorization
   Server (AS), without the intention of ruling out other (e.g. certificate / public-key
   infrastructure (PKI) based) schemes. schemes (e.g.,
   those based on certificates/Public Key Infrastructures (PKIs)).

   Any, all all, or none of the below can apply to an application.  Which
   are relevant depends on its protection objectives.

   Security policies are set by configuration of the RD, RD or by choice of
   the implementation.  Lookup clients (and, where relevant, endpoints)
   can only trust an RD to uphold them if it is authenticated, authenticated and
   authorized to serve as an RD according to the application's
   requirements.

7.1.  Endpoint name Name

   Whenever an RD needs to provide trustworthy results to clients doing
   endpoint lookup, lookup or resource lookup with filtering on the endpoint
   name, the RD must ensure that the registrant is authorized to use the
   given endpoint name.  This applies both to registration and later to
   operations on the registration resource.  It is immaterial whether
   the client is the registrant-ep itself or a CT is doing the
   registration:
   registration.  The RD cannot tell the difference, and CTs may use
   authorization credentials authorizing only operations on that
   particular endpoint name, name or a wider range of endpoint names.

   It is up to the concrete security policy to describe how the endpoint
   name and sector are transported when certificates are used.  For
   example, it may describe how SubjectAltName dNSName entries are
   mapped to endpoint and domain names.

7.1.1.  Random endpoint names Endpoint Names

   Conversely, in applications where the RD does not check the endpoint
   name, the authorized registering endpoint can generate a random
   number (or string) that identifies the endpoint.  The RD should then
   remember unique properties of the registrant, associate them with the
   registration for as long as its registration resource is active
   (which may be longer than the registration's lifetime), and require
   the same properties for operations on the registration resource.

   Registrants that are prepared to pick a different identifier when
   their initial attempt (or attempts, in the unlikely case of two
   subsequent collisions) at registration is unauthorized should pick an
   identifier at least twice as long as the expected number of
   registrants; registrants without such a recovery options should pick
   significantly longer endpoint names (e.g. (e.g., using UUID Universally Unique
   Identifier (UUID) URNs [RFC4122]).

7.2.  Entered resources Resources

   When lookup clients expect that certain types of links can only
   originate from certain endpoints, then the RD needs to apply
   filtering to the links an endpoint may register.

   For example, if clients use an RD to find a server that provides
   firmware updates, then any registrant that wants to register (or
   update) links to firmware sources will need to provide suitable
   credentials to do so, independently of its endpoint name.

   Note that the impact of having undesirable links in the RD depends on
   the application: if application.  If the client requires the firmware server to
   present credentials as a firmware server, a fraudulent link's impact
   is limited to the client revealing its intention to obtain updates
   and slowing down the client until it finds a legitimate firmware
   server; if the client accepts any credentials from the server as long
   as they fit the provided URI, the impact is larger.

   An RD may also require that links are only registered if the
   registrant is authorized to publish information about the anchor (or
   even target) of the link.  One way to do this is to demand that the
   registrant present the same credentials as a client that they'd need
   to present if contacted as a server at the resources' URI, which may
   include using the address and port that are part of the URI.  Such a
   restriction places severe practical limitations on the links that can
   be registered.

   As above, the impact of undesirable links depends on the extent to
   which the lookup client relies on the RD.  To avoid the limitations,
   RD applications should consider prescribing that lookup clients only
   use the discovered information as hints, hints and describe which pieces of
   information need to be verified because they impact the application's
   security.  A straightforward way to verify such information is to
   request it again from an authorized server, typically the one that
   hosts the target resource.  That is similar to what happens in
   Section 4.3 when the URI discovery step is repeated.

7.3.  Link confidentiality Confidentiality

   When registrants publish information in the RD that is not available
   to any client that would query the registrant's /.well-known/core
   interface, or when lookups to that interface are subject so to stricter
   firewalling than lookups to the RD, the RD may need to limit which
   lookup clients may access the information.

   In this case, the endpoint (and not the lookup clients) needs to be
   careful to check the RD's authorization.  The RD needs to check any
   lookup client's authorization before revealing information directly
   (in resource lookup) or indirectly (when using it to satisfy a
   resource lookup search criterion).

7.4.  Segmentation

   Within a single RD, different security policies can apply.

   One example of this are multi-tenant deployments separated by the
   sector (d) parameter.  Some sectors might apply limitations on the
   endpoint names available, while others use a random identifier
   approach to endpoint names and place limits on the entered links
   based on their attributes instead.

   Care must be taken in such setups to determine the applicable access
   control measures to each operation.  One easy way to do that is to
   mandate the use of the sector parameter on all operations, as no
   credentials are suitable for operations across sector borders anyway.

7.5.  First-Come-First-Remembered:  "First Come First Remembered": A default policy Default Policy

   The First-Come-First-Remembered "First Come First Remembered" policy is provided both as a
   reference example for a security policy definition, definition and as a policy
   that implementations may choose to use as default policy in the
   absence of other another configuration.  It is designed to enable efficient
   discovery operations even in ad-hoc ad hoc settings.

   Under this policy, the RD accepts registrations for any endpoint name
   that is not assigned to an active registration resource, resource and only
   accepts registration updates from the same endpoint.  The policy is
   minimal in that that, towards lookup clients clients, it does not make any of the
   claims of Section Sections 7.2 and Section 7.3, and its claims on in Section 7.1 are
   limited to the lifetime of that endpoint's registration.  It
   does, however, guarantee  However,
   towards any endpoint that endpoint, it does guarantee that, for the duration of its
   registration, its links will be discoverable on the RD.

   When a registration or operation is attempted, the RD MUST determine
   the client's subject name or public key:

   *  If the client's credentials indicate any subject name that is
      certified by any authority which that the RD recognizes (which may be
      the system's trust anchor store), all such subject names are
      stored.  With credentials based on CWT or JWT based credentials (as common with ACE),
      Authentication and Authorization for Constrained Environments
      (ACE)), the Subject (sub) claim is stored as a single name, if it
      exists.  With X.509 certificates, the Common Name (CN) and the
      complete list of SubjectAltName entries are stored.  In both
      cases, the authority that certified the claim is stored along with
      the subject, as the latter may only be locally unique.

   *  Otherwise, if the client proves possession of a private key, the
      matching public key is stored.  This applies both to raw public
      keys and to the public keys indicated in certificates that failed
      the above authority check.

   *  If neither is present, a reference to the security session itself
      is stored.  With (D)TLS, that is the connection itself, itself or the
      session resumption information information, if available.  With OSCORE, that
      is the security context.

   As part of the registration operation, that information is stored
   along with the registration resource.

   The RD MUST accept all registrations whose registration resource is
   not already active, as long as they are made using a security layer
   supported by the RD.

   Any operation on a registration resource, including registrations
   that lead to an existing registration resource, MUST be rejected by
   the RD unless all the stored information is found in the new
   request's credentials.

   Note that that, even though subject names are compared in this policy,
   they are never directly compared to endpoint names, and an endpoint can
   not
   cannot expect to "own" any particular endpoint name outside of an
   active registration -- even if a certificate says so.  It is an
   accepted shortcoming of this approach that the endpoint has no
   indication of whether the RD remembers it by its subject name or
   public key; recognition by subject happens on a best-effort base
   (given the RD may not recognize any authority).  Clients MUST be
   prepared to pick a different endpoint name when rejected by the RD
   initially or after a change in their credentials; picking an endpoint name
   name, as per Section 7.1.1 7.1.1, is an easy option for that.

   For this policy to be usable without configuration, clients should
   not set a sector name in their registrations.  An RD can set a
   default sector name for registrations accepted under this policy,
   which is useful especially useful in a segmented setup where different
   policies apply to different sectors.  The configuration of such a
   behavior, as well as any other configuration applicable to such an RD
   (i.e.
   (i.e., the set of recognized authorities) authorities), is out of scope for this
   document.

8.  Security Considerations

   The security considerations as described in Section 5 of [RFC8288]
   and Section 6 of [RFC6690] apply.  The /.well-known/core resource may
   be protected e.g. protected, e.g., using DTLS when hosted on a CoAP server server, as
   described in [RFC7252].

   Access that is limited or affects sensitive data SHOULD be protected,
   e.g.
   e.g., using (D)TLS or OSCORE ([RFC8613]; [RFC8613]; which aspects of the RD this
   affects depends on the security policies of the application (see
   Section 7).

8.1.  Discovery

   Most steps in discovery of the RD, and possibly its resources, are
   not covered by CoAP's security mechanisms.  This will not endanger
   the security properties of the registrations and lookup itself (where
   the client requires authorization of the RD if it expects any
   security properties of the operation), operation) but may leak the client's
   intention to third parties, parties and allow them to slow down the process.

   To mitigate that, clients can retain the RD's address, use secure
   discovery options like configured addresses, and send queries for RDs
   in a very general form (?rt=core.rd* (e.g., ?rt=core.rd* rather than ?rt=core.rd-lookup-
   ep). ?rt=core.rd-
   lookup-ep).

8.2.  Endpoint Identification and Authentication

   An Endpoint endpoint (name, sector) pair is unique within the set of endpoints
   registered by the RD.  An Endpoint endpoint MUST NOT be identified by its
   protocol, port port, or IP address address, as these may change over the lifetime
   of an Endpoint. endpoint.

   Every operation performed by an Endpoint endpoint on an RD SHOULD be mutually
   authenticated using Pre-Shared Key, Raw Public Key a pre-shared key, a raw public key, or Certificate
   based
   certificate-based security.

   Consider the following threat: two devices devices, A and B B, are registered
   at a single server.  Both devices have unique, per-device credentials
   for use with DTLS to make sure that only parties with authorization
   to access A or B can do so.

   Now, imagine that a malicious device A wants to sabotage the device
   B.  It uses its credentials during the DTLS exchange.  Then, it
   specifies the endpoint name of device B as the name of its own
   endpoint in device A.  If the server does not check whether the
   identifier provided in the DTLS handshake matches the identifier used
   at the CoAP layer layer, then it may be inclined to use the endpoint name
   for looking up what information to provision to the malicious device.

   Endpoint authorization needs to be checked on registration and
   registration resource operations independently of whether there are
   configured requirements on the credentials for a given endpoint name
   (and sector; Section 7.1) or whether arbitrary names are accepted
   (Section 7.1.1).

   Simple registration could be used to circumvent address-based access
   control:
   control.  An attacker would send a simple registration request with
   the victim's address as the source address, address and later look up the
   victim's /.well-known/core content in the RD.  Mitigation for this is
   recommended in Section 5.1.

   The registration resource path is visible to any client that is
   allowed endpoint lookup, lookup and can be extracted by resource lookup
   clients as well.  The same goes for registration attributes that are
   shown as target attributes or lookup attributes.  The RD needs to
   consider this in the choice of registration resource paths, paths and
   administrators or endpoint in their choice of attributes.

8.3.  Access Control

   Access control SHOULD be performed separately for the RD registration
   and Lookup lookup API paths, as different endpoints may be authorized to
   register with an RD from those authorized to lookup look up endpoints from
   the RD.  Such access control SHOULD be performed in as fine-grained a
   level as possible.  For example example, access control for lookups could be
   performed either at the sector, endpoint endpoint, or resource level.

   The precise access controls necessary (and the consequences of
   failure to enforce them) depend on the protection objectives of the
   application and the security policies (Section 7) derived from them.

8.4.  Denial of Service  Denial-of-Service Attacks

   Services that run over UDP unprotected are vulnerable to unknowingly
   amplify and distribute a DoS attack attack, as UDP does not require a return
   routability check.  Since RD lookup responses can be significantly
   larger than requests, RDs are prone to this.

   [RFC7252] describes this at length in its Section 11.3, including
   some mitigation by using small block sizes in responses.  The
   upcoming [I-D.ietf-core-echo-request-tag]  [RFC9175]
   updates that by describing a source address verification mechanism
   using the Echo option.

   [ If this document is published together with or after I-D.ietf-core-
   echo-request-tag, the above paragraph is replaced with the following:

   [RFC7252] describes this at length in its Section 11.3, and
   [I-D.ietf-core-echo-request-tag] (which updates the former)
   recommends using the Echo option to verify the request's source
   address.

   ]

8.5.  Skipping freshness checks Freshness Checks

   When RD based RD-based applications are built in which request freshness
   checks are not performed, these concerns need to be balanced:

   *  When alterations to registration attributes are reordered, an
      attacker may create any combination of attributes ever set, with
      the attack difficulty determined by the security layer's replay
      properties.

      For example, if Figure 18 were conducted without freshness
      assurances, an attacker could later reset the lifetime back to
      7200.  Thus, the device is made unreachable to lookup clients.

   *  When registration updates without query parameters (which just
      serve to restart the lifetime) can be reordered, an attacker can
      use intercepted messages to give the appearance of the device
      being alive to the RD.

      This is unacceptable when when the RD's security policy promises
      reachability of endpoints (e.g. (e.g., when disappearing devices would
      trigger further investigation), investigation) but may be acceptable with other
      policies.

9.  IANA Considerations

9.1.  Resource Types

   IANA is asked to enter has added the following values into to the Resource "Resource Type (rt=) Link
   Target Attribute Values sub-registry Values" subregistry of the Constrained
   Restful "Constrained RESTful
   Environments (CoRE) Parameters Parameters" registry defined in [RFC6690]:

    +====================+=============================+=============+
    | Value              | Description                 | Reference   |
    +====================+=============================+=============+
    | core.rd            | Directory resource of an RD | RFCTHIS RFC 9176,   |
    |                    |                             | Section 4.3 |
    +--------------------+-----------------------------+-------------+
    | core.rd-lookup-res | Resource lookup of an RD    | RFCTHIS RFC 9176,   |
    |                    |                             | Section 4.3 |
    +--------------------+-----------------------------+-------------+
    | core.rd-lookup-ep  | Endpoint lookup of an RD    | RFCTHIS RFC 9176,   |
    |                    |                             | Section 4.3 |
    +--------------------+-----------------------------+-------------+
    | core.rd-ep         | Endpoint resource of an RD  | RFCTHIS RFC 9176,   |
    |                    |                             | Section 6   |
    +--------------------+-----------------------------+-------------+

          Table 2 2: Additions to Resource Type (rt=) Link Target
                       Attribute Values Subregistry

9.2.  IPv6 ND Resource Directory Address Option

   This document registers

   IANA has registered one new ND option type under in the sub-registry "IPv6 Neighbor
   Discovery Option Formats" subregistry of the "Internet Control
   Message Protocol version 6 (ICMPv6) Parameters" registry:

   *

         +======+===================================+===========+
         | Type | Description                       | Reference |
         +======+===================================+===========+
         | 41   | Resource Directory Address Option (TBD38)

   [ The | RFC editor is asked 9176  |
         +------+-----------------------------------+-----------+

           Table 3: Addition to replace TBD38 with the assigned number
   in the document; the value 38 is suggested. ] IPv6 Neighbor Discovery Option
                           Formats Subregistry

9.3.  RD Parameter Parameters Registry

   This specification defines a new sub-registry subregistry for registration and
   lookup parameters called "RD Parameters" under "CoRE Parameters". within the "Constrained
   RESTful Environments (CoRE) Parameters" registry.  Although this
   specification defines a basic set of parameters, it is expected that
   other standards that make use of this interface will define new ones.

   Each entry in the registry must include include:

   *  the human readable human-readable name of the parameter,

   *  the short name name, as used in query parameters or target attributes,

   *  syntax and validity requirements (if any),

   *  indication of whether it can be passed as a query parameter at
      registration of endpoints, passed as a query parameter in lookups,
      or be expressed as a target attribute,

   *  syntax and validity requirements if any,
   *  a description,

   * and

   *  a link to reference documentation.

   The query parameter MUST be both a valid URI query key [RFC3986] and
   a token as used in [RFC8288].

   The description must give details on whether the parameter can be
   updated,
   updated and how it is to be processed in lookups.

   The mechanisms around new RD parameters should be designed in such a
   way that they tolerate RD implementations that are unaware of the
   parameter and expose any parameter passed at registration or updates
   on in endpoint lookups.  (For example, if a parameter used at
   registration were to be confidential, the registering endpoint should
   be instructed to only set that parameter if the RD advertises support
   for keeping it confidential at the discovery step.)

   Initial entries in this sub-registry subregistry are as follows:

    +==============+=======+==============+=====+=====================+
    | Full name Name         | Short | Validity     | Use | Description         |
    +==============+=======+==============+=====+=====================+
    | Endpoint     | ep    | Unicode*     | RLA | Name of the         |
    | Name         |       |              |     | endpoint            |
    +--------------+-------+--------------+-----+---------------------+
    | Lifetime     | lt    | 1-4294967295 | R   | Lifetime of the     |
    |              |       |              |     | registration in     |
    |              |       |              |     | seconds             |
    +--------------+-------+--------------+-----+---------------------+
    | Sector       | d     | Unicode*     | RLA | Sector to which     |
    |              |       |              |     | this endpoint       |
    |              |       |              |     | belongs             |
    +--------------+-------+--------------+-----+---------------------+
    | Registration | base  | URI          | RLA | The scheme, address         |
    | Base URI     |       |              |     | address, port, and port and path  |
    |              |       |              |     | path at which this  |
    |              |       |              |     | server is available |
    +--------------+-------+--------------+-----+---------------------+
    | Page         | page  | Integer      | L   | Used for pagination |
    +--------------+-------+--------------+-----+---------------------+
    | Count        | count | Integer      | L   | Used for pagination |
    +--------------+-------+--------------+-----+---------------------+
    | Endpoint     | et    | Section RFC 9176,    | RLA | Semantic type of    |
    | Type         |       | 9.3.1 Section      |     | the endpoint (see   |
    |              |       | 9.3.1        |     | RFC 9176,           |
    |              |       |              |     | Section 9.4)        |
    +--------------+-------+--------------+-----+---------------------+

                    Table 3: 4: New RD Parameters

   (Short: Registry

   Where:

   Short:  Short name used in query parameters or target attributes. attributes

   Validity:

      Unicode* =  63 Bytes bytes of UTF-8 encoded UTF-8-encoded Unicode, with no control
         characters as per Section 5. 5

   Use:

      R =  used at registration, registration
      L =  used at lookup, lookup
      A =  expressed in the target attribute.) attribute

   The descriptions for the options defined in this document are only
   summarized here.  To which registrations they apply and when they are
   to be shown is are described in the respective sections of this
   document.  All their reference documentation entries point to this
   document.

   The IANA policy for future additions to the sub-registry subregistry is "Expert
   Review" Expert
   Review, as described in [RFC8126].  The evaluation should consider
   formal criteria, duplication of functionality (Is (i.e., is the new entry
   redundant with an existing one?), topical suitability (E.g. (e.g., is the
   described property actually a property of the endpoint and not a
   property of a particular resource, in which case it should go into
   the payload of the registration and need not be registered?), and the
   potential for conflict with commonly used target attributes (For
   example, (e.g., if
   could be used as a parameter for conditional registration if it were
   not to be used in lookup or attributes, attributes but would make a bad parameter
   for lookup, lookup because a resource lookup with an if query parameter could
   ambiguously filter by the registered endpoint property or the [RFC6690] target attribute).
   attribute [RFC6690]).

9.3.1.  Full description Description of the "Endpoint Type" RD Parameter

   An endpoint registering at an RD can describe itself with endpoint
   types, similar to how resources are described with Resource Types resource types in
   [RFC6690].  An endpoint type is expressed as a string, which can be
   either a URI or one of the values defined in the Endpoint "Endpoint Type sub-
   registry. (et=)
   RD Parameter Values" subregistry.  Endpoint types can be passed in
   the et query parameter as part of extra-attrs at the Registration
   step, are shown on endpoint lookups using the et target attribute,
   and can be filtered for using et as a search criterion in resource
   and endpoint lookup.  Multiple endpoint types are given as separate
   query parameters or link attributes.

   Note that Endpoint Type the endpoint type differs from Resource Type the resource type in that it
   uses multiple attributes rather than space separated space-separated values.  As a
   result, RDs implementing this specification automatically support
   correct filtering in the lookup interfaces from the rules for unknown
   endpoint attributes.

9.4.  "Endpoint Type"  Endpoint Type (et=) RD Parameter values Values

   This specification establishes a new sub-registry under "CoRE
   Parameters" subregistry called '"Endpoint Type" "Endpoint
   Type (et=) RD Parameter values'. Values" within the "Constrained RESTful
   Environments (CoRE) Parameters" registry.  The registry properties
   (required policy, requirements, and template) are identical to those
   of the Resource Type resource type parameters in [RFC6690], [RFC6690]; in
   short:

   The short, the review
   policy is IETF Review for values starting with "core", "core" and
   Specification Required for others.

   The requirements to be enforced are:

   *  The values MUST be related to the purpose described in
      Section 9.3.1.

   *  The registered values MUST conform to the ABNF reg-rel-type
      definition of [RFC6690] and MUST NOT be a URI.

   *  It is recommended to use the period "." character for
      segmentation.

   The initial contents of the registry initially contains one value:

   *  "core.rd-group": are as follows:

    +===============+====================================+===========+
    | Value         | Description                        | Reference |
    +===============+====================================+===========+
    | core.rd-group | An application group group, as described | RFC 9176  |
    |               | in RFC 9176, Appendix A.           |           |
    +---------------+------------------------------------+-----------+

      Table 5: New Endpoint Type (et=) RD Parameter Values Registry

9.5.  Multicast Address Registration

   IANA is asked to assign has assigned the following multicast addresses for use by CoAP
   nodes:

   IPv4  -- "all CoRE Resource Directories" address MCD2 (suggestion:
   224.0.1.189), from 224.0.1.190, in the
      "Internetwork Control Block (224.0.1.0 - 224.0.1.255
      (224.0.1/24))" subregistry within the "IPv4 Multicast Address
      Space Registry".  As the address is used for discovery that may
      span beyond a single network, it has come from the Internetwork
      Control Block (224.0.1.x) [RFC5771].

   IPv6  -- "all CoRE Resource Directories" address MCD1 (suggestions
   FF0X::FE), from the "IPv6 Multicast Address Space Registry", ff0x::fe, in the
      "Variable Scope Multicast Addresses" space (RFC 3307). subregistry within the "IPv6
      Multicast Address Space Registry" [RFC3307].  Note that there is a
      distinct multicast address for each scope that interested CoAP
      nodes should listen to; CoAP needs the Link-Local link-local and Site-Local site-local
      scopes only.

   [ The RFC editor is asked to replace MCD1 and MCD2 with the assigned
   addresses throughout the document. ]

9.6.  Well-Known URIs

   IANA is asked to permanently register has registered the URI suffix "rd" in the "Well-Known URIs" registry.  The change controller is the IETF, this
   document is the reference.
   registry as follows:

        +============+===================+===========+===========+
        | URI Suffix | Change Controller | Reference | Status    |
        +============+===================+===========+===========+
        | rd         | IETF              | RFC 9176  | permanent |
        +------------+-------------------+-----------+-----------+

              Table 6: Addition to Well-Known URIs Registry

9.7.  Service Names Name and Transport Protocol Port Number Registry

   IANA is asked to enter has added four new items into to the Service Names "Service Name and Transport
   Protocol Port Number Registry:

   * Registry" as follows:

      +==============+===========+=====================+===========+
      | Service name: "core-rd", Protocol: "udp", Description: "Resource Name | Transport | Description         | Reference |
      |              | Protocol  |                     |           |
      +==============+===========+=====================+===========+
      | core-rd      | udp       | Resource Directory  | RFC 9176  |
      |              |           | accessed using CoAP"

   *  Service name "core-rd-dtls", Protocol: "udp", Description:
      "Resource CoAP |           |
      +--------------+-----------+---------------------+-----------+
      | core-rd-dtls | udp       | Resource Directory  | RFC 9176  |
      |              |           | accessed using CoAP |           |
      |              |           | over DTLS"

   *  Service name: "core-rd", Protocol: "tcp", Description: "Resource DTLS           |           |
      +--------------+-----------+---------------------+-----------+
      | core-rd      | tcp       | Resource Directory  | RFC 9176  |
      |              |           | accessed using CoAP |           |
      |              |           | over TCP"

   *  Service name "core-rd-tls", Protocol: "tcp", Description:
      "Resource TCP            |           |
      +--------------+-----------+---------------------+-----------+
      | core-rd-tls  | tcp       | Resource Directory  | RFC 9176  |
      |              |           | accessed using CoAP |           |
      |              |           | over TLS"

   All in common have this document as their reference. TLS            |           |
      +--------------+-----------+---------------------+-----------+

        Table 7: Additions to Service Name and Transport Protocol
                           Port Number Registry

10.  Examples

   Two examples are presented: a Lighting Installation lighting installation example in
   Section 10.1 and a LwM2M Lightweight M2M (LwM2M) example in Section 10.2.

10.1.  Lighting Installation

   This example shows a simplified lighting installation which that makes use
   of the RD with a CoAP interface to facilitate the installation and
   start-up
   startup of the application code in the lights and sensors.  In
   particular, the example leads to the definition of a group and the
   enabling of the corresponding multicast address address, as described in
   Appendix A.  No conclusions must be drawn on the realization of
   actual installation or naming procedures, because the example only
   "emphasizes" some of the issues that may influence the use of the RD
   and does not pretend to be normative.

10.1.1.  Installation Characteristics

   The example assumes that the installation is managed.  That means
   that a Commissioning Tool (CT) is used to authorize the addition of
   nodes, name them, and name their services.  The CT can be connected
   to the installation in many ways: the CT can be part of the
   installation network, connected by WiFi Wi-Fi to the installation network,
   or
   connected via GPRS link, or other connected by another method.

   It is assumed that there are two naming authorities for the
   installation: (1) the network manager that is responsible for the
   correct operation of the network and the connected interfaces, interfaces and (2)
   the lighting manager that is responsible for the correct functioning
   of networked lights and sensors.  The result is the existence of two
   naming schemes coming from the two managing entities.

   The example installation consists of one presence sensor, sensor and two
   luminaries, luminary1 and luminary2, each with their own wireless
   interface.  Each luminary contains three lamps: left, right right, and
   middle.  Each luminary is accessible through one endpoint.  For each
   lamp
   lamp, a resource exists to modify the settings of a lamp in a
   luminary.  The purpose of the installation is that the presence
   sensor notifies the presence of persons to a group of lamps.  The
   group of lamps consists of: of the middle and left lamps of luminary1 and
   the right lamp of luminary2.

   Before commissioning by the lighting manager, the network is
   installed
   installed, and access to the interfaces is proven to work by the
   network manager.

   At the moment of installation, the network under installation is not
   necessarily connected to the DNS infrastructure.  Therefore, SLAAC
   Stateless Address Autoconfiguration (SLAAC) IPv6 addresses are
   assigned to CT, RD, luminaries luminaries, and the sensor.  The addresses shown
   in Table 4 8 below stand in for these in the following examples.

                   +=================+================+
                   | Name            | IPv6 address   |
                   +=================+================+
                   | luminary1       | 2001:db8:4::1  |
                   +-----------------+----------------+
                   | luminary2       | 2001:db8:4::2  |
                   +-----------------+----------------+
                   | Presence sensor | 2001:db8:4::3  |
                   +-----------------+----------------+
                   | RD              | 2001:db8:4::ff |
                   +-----------------+----------------+

                      Table 4: 8: Addresses used Used in the
                                 examples
                                 Examples

   In Section 10.1.2 10.1.2, the use of RD during installation is presented.

10.1.2.  RD entries Entries

   It is assumed that access to the DNS infrastructure is not always
   possible during installation.  Therefore, the SLAAC addresses are
   used in this section.

   For discovery, the resource types (rt) of the devices are important.
   The lamps in the luminaries have rt=tag:example.com,2020:light, and
   the presence sensor has rt=tag:example.com,2020:p-sensor.  The
   endpoints have names which that are relevant to the light installation
   manager.  In this case case, luminary1, luminary2, and the presence sensor
   are located in room 2-4-015, where luminary1 is located at the window
   and luminary2 and the presence sensor are located at the door.  The
   endpoint names reflect this physical location.  The middle, left left, and
   right lamps are accessed via path /light/middle, /light/left, and
   /light/right
   /light/right, respectively.  The identifiers relevant to the RD are
   shown in Table 5 below: 9.

   +=========+================+========+===============================+
   |Name     |endpoint        |resource| resource type     |Endpoint        |Resource| Resource Type                 |
   |         |                |path                |Path    |                               |
   +=========+================+========+===============================+
   |luminary1|lm_R2-4-015_wndw|/light/ | tag:example.com,2020:light    |
   |         |                |left    |                               |
   +---------+----------------+--------+-------------------------------+
   |luminary1|lm_R2-4-015_wndw|/light/ | tag:example.com,2020:light    |
   |         |                |middle  |                               |
   +---------+----------------+--------+-------------------------------+
   |luminary1|lm_R2-4-015_wndw|/light/ | tag:example.com,2020:light    |
   |         |                |right   |                               |
   +---------+----------------+--------+-------------------------------+
   |luminary2|lm_R2-4-015_door|/light/ | tag:example.com,2020:light    |
   |         |                |left    |                               |
   +---------+----------------+--------+-------------------------------+
   |luminary2|lm_R2-4-015_door|/light/ | tag:example.com,2020:light    |
   |         |                |middle  |                               |
   +---------+----------------+--------+-------------------------------+
   |luminary2|lm_R2-4-015_door|/light/ | tag:example.com,2020:light    |
   |         |                |right   |                               |
   +---------+----------------+--------+-------------------------------+
   |Presence |ps_R2-4-015_door|/ps     | tag:example.com,2020:p-sensor |
   |sensor   |                |        |                               |
   +---------+----------------+--------+-------------------------------+

                          Table 5: 9: RD identifiers Identifiers

   It is assumed that the CT has performed RD discovery and has received
   a response like the one in the example in Section 4.3 example. 4.3.

   The CT inserts the endpoints of the luminaries and the sensor in the
   RD using the registration base URI parameter (base) to specify the
   interface address:

   Req: POST coap://[2001:db8:4::ff]/rd
     ?ep=lm_R2-4-015_wndw&base=coap://[2001:db8:4::1]&d=R2-4-015
   Payload:
   </light/left>;rt="tag:example.com,2020:light",
   </light/middle>;rt="tag:example.com,2020:light",
   </light/right>;rt="tag:example.com,2020:light"

   Res: 2.01 Created
   Location-Path: /rd/4521

   Req: POST coap://[2001:db8:4::ff]/rd
     ?ep=lm_R2-4-015_door&base=coap://[2001:db8:4::2]&d=R2-4-015
   Payload:
   </light/left>;rt="tag:example.com,2020:light",
   </light/middle>;rt="tag:example.com,2020:light",
   </light/right>;rt="tag:example.com,2020:light"

   Res: 2.01 Created
   Location-Path: /rd/4522

   Req: POST coap://[2001:db8:4::ff]/rd
     ?ep=ps_R2-4-015_door&base=coap://[2001:db8:4::3]&d=R2-4-015
   Payload:
   </ps>;rt="tag:example.com,2020:p-sensor"

   Res: 2.01 Created
   Location-Path: /rd/4523

         Figure 24: Example of registrations Registrations a CT enters Enters into an RD

   The sector name d=R2-4-015 has been added for an efficient lookup
   because filtering on the "ep" name is more awkward.  The same sector
   name is communicated to the two luminaries and the presence sensor by
   the CT.

   The group is specified in the RD.  The base parameter is set to the
   site-local multicast address allocated to the group.  In the POST in
   the example below, the resources supported by all group members are
   published.

   Req: POST coap://[2001:db8:4::ff]/rd
     ?ep=grp_R2-4-015&et=core.rd-group&base=coap://[ff05::1]
   Payload:
   </light/left>;rt="tag:example.com,2020:light",
   </light/middle>;rt="tag:example.com,2020:light",
   </light/right>;rt="tag:example.com,2020:light"

   Res: 2.01 Created
   Location-Path: /rd/501

       Figure 25: Example of a multicast group Multicast Group a CT enters Enters into an RD

   After the filling of the RD by the CT, the application in the
   luminaries can learn to which groups they belong, belong and enable their
   interface for the multicast address.

   The luminary, knowing its sector and being configured to join any
   group containing lights, searches for candidate groups and joins
   them:

   Req: GET coap://[2001:db8:4::ff]/rd-lookup/ep
     ?d=R2-4-015&et=core.rd-group&rt=light

   Res: 2.05 Content
   Payload:
   </rd/501>;ep=grp_R2-4-015;et=core.rd-group;
             base="coap://[ff05::1]";rt=core.rd-ep

          Figure 26: Example of a lookup exchange Lookup Exchange to find suitable
                            multicast addresses Find Suitable
                            Multicast Addresses

   From the returned base parameter value, the luminary learns the
   multicast address of the multicast group.

   The presence sensor can learn the presence of groups that support
   resources with rt=tag:example.com,2020:light in its own sector by
   sending the same request, as used by the luminary.  The presence
   sensor learns the multicast address to use for sending messages to
   the luminaries.

10.2.  OMA Lightweight M2M (LwM2M)

   OMA LwM2M is a profile for device services based on CoAP, providing
   interfaces and operations for device management and device service
   enablement.

   An LwM2M server is an instance of an LwM2M middleware service layer,
   containing an RD ([LwM2M] ([LwM2M], page 36f).

   That RD only implements the registration interface, and no lookup is
   implemented.  Instead, the LwM2M server provides access to the
   registered resources, resources in a similar way to a reverse proxy.

   The location of the LwM2M Server server and RD URI path is provided by the
   LwM2M Bootstrap bootstrap process, so no dynamic discovery of the RD is used.
   LwM2M Servers servers and endpoints are not required to implement the /.well-
   known/core resource.

13.

11.  References

13.1.

11.1.  Normative References

   [I-D.ietf-core-echo-request-tag]
              Amsüss, C., Mattsson, J. P., and G. Selander, "CoAP: Echo,
              Request-Tag, and Token Processing", Work in Progress,
              February 2021, <https://www.ietf.org/archive/id/draft-
              ietf-core-echo-request-tag-12.txt>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, DOI 10.17487/RFC3986, January 2005,
              <https://www.rfc-editor.org/info/rfc3986>.

   [RFC6570]  Gregorio, J., Fielding, R., Hadley, M., Nottingham, M.,
              and D. Orchard, "URI Template", RFC 6570,
              DOI 10.17487/RFC6570, March 2012,
              <https://www.rfc-editor.org/info/rfc6570>.

   [RFC6690]  Shelby, Z., "Constrained RESTful Environments (CoRE) Link
              Format", RFC 6690, DOI 10.17487/RFC6690, August 2012,
              <https://www.rfc-editor.org/info/rfc6690>.

   [RFC6763]  Cheshire, S. and M. Krochmal, "DNS-Based Service
              Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013,
              <https://www.rfc-editor.org/info/rfc6763>.

   [RFC7230]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Message Syntax and Routing",
              RFC 7230, DOI 10.17487/RFC7230, June 2014,
              <https://www.rfc-editor.org/info/rfc7230>.

   [RFC7252]  Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
              Application Protocol (CoAP)", RFC 7252,
              DOI 10.17487/RFC7252, June 2014,
              <https://www.rfc-editor.org/info/rfc7252>.

   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              <https://www.rfc-editor.org/info/rfc8126>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8288]  Nottingham, M., "Web Linking", RFC 8288,
              DOI 10.17487/RFC8288, October 2017,
              <https://www.rfc-editor.org/info/rfc8288>.

13.2.  Informative References

   [ER]       Chen, P., "The entity-relationship model--toward a unified
              view of data", DOI 10.1145/320434.320440, ACM Transactions
              on Database Systems Vol. 1, pp. 9-36, March 1976,
              <https://doi.org/10.1145/320434.320440>.

   [I-D.bormann-t2trg-rel-impl]
              Bormann,

   [RFC9175]  Amsüss, C., "impl-info: A link relation type for
              disclosing implementation information", Work in Progress,
              September 2020, <https://www.ietf.org/archive/id/draft-
              bormann-t2trg-rel-impl-02.txt>.

   [I-D.hartke-t2trg-coral]
              Hartke, K., "The Constrained RESTful Preuß Mattsson, J., and G. Selander,
              "Constrained Application Language
              (CoRAL)", Work in Progress, Internet-Draft, draft-hartke-
              t2trg-coral-09, 8 July 2019,
              <https://www.ietf.org/archive/id/draft-hartke-t2trg-coral-
              09.txt>.

   [I-D.ietf-ace-oauth-authz] Protocol (CoAP): Echo, Request-
              Tag, and Token Processing", RFC 9175,
              DOI 10.17487/RFC9175, February 2022,
              <https://www.rfc-editor.org/rfc/rfc9175>.

11.2.  Informative References

   [ACE-OAUTH-AUTHZ]
              Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and
              H. Tschofenig, "Authentication and Authorization for
              Constrained Environments (ACE) using the OAuth 2.0
              Framework (ACE-OAuth)", Work in Progress, Internet-Draft,
              draft-ietf-ace-oauth-authz-37, 4 February
              draft-ietf-ace-oauth-authz-46, 8 November 2021,
              <https://datatracker.ietf.org/doc/html/draft-ietf-ace-
              oauth-authz-46>.

   [COAP-PROT-NEG]
              Silverajan, B. and M. Ocak, "CoAP Protocol Negotiation",
              Work in Progress, Internet-Draft, draft-silverajan-core-
              coap-protocol-negotiation-09, 2 July 2018,
              <https://datatracker.ietf.org/doc/html/draft-silverajan-
              core-coap-protocol-negotiation-09>.

   [CORE-CORAL]
              Amsüss, C. and T. Fossati, "The Constrained RESTful
              Application Language (CoRAL)", Work in Progress, Internet-
              Draft, draft-ietf-core-coral-04, 25 October 2021,
              <https://www.ietf.org/archive/id/draft-ietf-ace-oauth-
              authz-37.txt>.

   [I-D.ietf-core-links-json]
              LI,
              <https://datatracker.ietf.org/doc/html/draft-ietf-core-
              coral-04>.

   [CORE-LINKS-JSON]
              Li, K., Rahman, A., and C. Bormann, Ed., "Representing
              Constrained RESTful Environments (CoRE) Link Format in
              JSON and CBOR", Work in Progress, Internet-Draft, draft-
              ietf-core-links-json-10, 26 February 2018,
              <https://www.ietf.org/archive/id/draft-ietf-core-links-
              json-10.txt>.

   [I-D.ietf-core-rd-dns-sd]
              <https://datatracker.ietf.org/doc/html/draft-ietf-core-
              links-json-10>.

   [CORE-RD-DNS-SD]
              van der Stok, P. V. D., P., Koster, M., and C. Amsüss, Amsuess, "CoRE
              Resource Directory: DNS-SD mapping", Work in Progress, Internet-
              Draft,
              Internet-Draft, draft-ietf-core-rd-dns-sd-05, 7 July 2019,
              <https://www.ietf.org/archive/id/draft-ietf-core-rd-dns-
              sd-05.txt>.

   [I-D.silverajan-core-coap-protocol-negotiation]
              Silverajan, B. and M. Ocak, "CoAP Protocol Negotiation",
              Work in Progress, Internet-Draft, draft-silverajan-core-
              coap-protocol-negotiation-09, 2 July 2018,
              <https://www.ietf.org/archive/id/draft-silverajan-core-
              coap-protocol-negotiation-09.txt>.
              <https://datatracker.ietf.org/doc/html/draft-ietf-core-rd-
              dns-sd-05>.

   [ER]       Chen, P., "The entity-relationship model--toward a unified
              view of data", ACM Transactions on Database Systems, Vol.
              1, pp. 9-36, DOI 10.1145/320434.320440, March 1976,
              <https://doi.org/10.1145/320434.320440>.

   [LwM2M]    Open Mobile Alliance, "Lightweight Machine to Machine
              Technical Specification: Transport Bindings (Candidate
              Version 1.1)", 12 June 2018,
              <https://openmobilealliance.org/RELEASE/LightweightM2M/
              V1_1-20180612-C/OMA-TS-LightweightM2M_Transport-
              V1_1-20180612-C.pdf>.

   [RFC3306]  Haberman, B. and D. Thaler, "Unicast-Prefix-based IPv6
              Multicast Addresses", RFC 3306, DOI 10.17487/RFC3306,
              August 2002, <https://www.rfc-editor.org/info/rfc3306>.

   [RFC3307]  Haberman, B., "Allocation Guidelines for IPv6 Multicast
              Addresses", RFC 3307, DOI 10.17487/RFC3307, August 2002,
              <https://www.rfc-editor.org/info/rfc3307>.

   [RFC3849]  Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix
              Reserved for Documentation", RFC 3849,
              DOI 10.17487/RFC3849, July 2004,
              <https://www.rfc-editor.org/info/rfc3849>.

   [RFC4122]  Leach, P., Mealling, M., and R. Salz, "A Universally
              Unique IDentifier (UUID) URN Namespace", RFC 4122,
              DOI 10.17487/RFC4122, July 2005,
              <https://www.rfc-editor.org/info/rfc4122>.

   [RFC4944]  Montenegro, G., Kushalnagar, N., Hui, J., and D. Culler,
              "Transmission of IPv6 Packets over IEEE 802.15.4
              Networks", RFC 4944, DOI 10.17487/RFC4944, September 2007,
              <https://www.rfc-editor.org/info/rfc4944>.

   [RFC5771]  Cotton, M., Vegoda, L., and D. Meyer, "IANA Guidelines for
              IPv4 Multicast Address Assignments", BCP 51, RFC 5771,
              DOI 10.17487/RFC5771, March 2010,
              <https://www.rfc-editor.org/info/rfc5771>.

   [RFC6724]  Thaler, D., Ed., Draves, R., Matsumoto, A., and T. Chown,
              "Default Address Selection for Internet Protocol Version 6
              (IPv6)", RFC 6724, DOI 10.17487/RFC6724, September 2012,
              <https://www.rfc-editor.org/info/rfc6724>.

   [RFC6775]  Shelby, Z., Ed., Chakrabarti, S., Nordmark, E., and C.
              Bormann, "Neighbor Discovery Optimization for IPv6 over
              Low-Power Wireless Personal Area Networks (6LoWPANs)",
              RFC 6775, DOI 10.17487/RFC6775, November 2012,
              <https://www.rfc-editor.org/info/rfc6775>.

   [RFC6874]  Carpenter, B., Cheshire, S., and R. Hinden, "Representing
              IPv6 Zone Identifiers in Address Literals and Uniform
              Resource Identifiers", RFC 6874, DOI 10.17487/RFC6874,
              February 2013, <https://www.rfc-editor.org/info/rfc6874>.

   [RFC7228]  Bormann, C., Ersue, M., and A. Keranen, "Terminology for
              Constrained-Node Networks", RFC 7228,
              DOI 10.17487/RFC7228, May 2014,
              <https://www.rfc-editor.org/info/rfc7228>.

   [RFC7641]  Hartke, K., "Observing Resources in the Constrained
              Application Protocol (CoAP)", RFC 7641,
              DOI 10.17487/RFC7641, September 2015,
              <https://www.rfc-editor.org/info/rfc7641>.

   [RFC8106]  Jeong, J., Park, S., Beloeil, L., and S. Madanapalli,
              "IPv6 Router Advertisement Options for DNS Configuration",
              RFC 8106, DOI 10.17487/RFC8106, March 2017,
              <https://www.rfc-editor.org/info/rfc8106>.

   [RFC8132]  van der Stok, P., Bormann, C., and A. Sehgal, "PATCH and
              FETCH Methods for the Constrained Application Protocol
              (CoAP)", RFC 8132, DOI 10.17487/RFC8132, April 2017,
              <https://www.rfc-editor.org/info/rfc8132>.

   [RFC8141]  Saint-Andre, P. and J. Klensin, "Uniform Resource Names
              (URNs)", RFC 8141, DOI 10.17487/RFC8141, April 2017,
              <https://www.rfc-editor.org/info/rfc8141>.

   [RFC8613]  Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
              "Object Security for Constrained RESTful Environments
              (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019,
              <https://www.rfc-editor.org/info/rfc8613>.

   [T2TRG-REL-IMPL]
              Bormann, C., "impl-info: A link relation type for
              disclosing implementation information", Work in Progress,
              September 2020, <https://datatracker.ietf.org/doc/html/
              draft-bormann-t2trg-rel-impl-02>.

Appendix A.  Groups Registration and Lookup

   The RD-Groups RD-Group's usage pattern allows announcing application groups
   inside an RD.

   Groups are represented by endpoint registrations.  Their base address
   is a multicast address, and they SHOULD be entered with the endpoint
   type core.rd-group.  The endpoint name can also be referred to as a
   group name in this context.

   The registration is inserted into the RD by a Commissioning Tool,
   which might also be known as a group manager here.  It performs third
   party
   third-party registration and registration updates.

   The links it registers SHOULD be available on all members that join
   the group.  Depending on the application, members that lack some
   resource
   resources MAY be permissible if requests to them fail gracefully.

   The following example shows a CT registering a group with the name
   "lights"
   "lights", which provides two resources.  The directory resource path
   /rd is an example RD location discovered in a request similar to
   Figure 5.  The group address in the example is constructed from
   [RFC3849]'s the
   reserved 2001:db8:: prefix in [RFC3849] as a unicast-prefix based unicast-prefix-based
   site-local address (see [RFC3306]. [RFC3306]).

   Req: POST coap://rd.example.com/rd?ep=lights&et=core.rd-group
                              &base=coap://[ff35:30:2001:db8:f1::8000:1]
   Content-Format: 40
   Payload:
   </light>;rt="tag:example.com,2020:light";
        if="tag:example.net,2020:actuator",
   </color-temperature>;if="tag:example.net,2020:parameter";u=K

   Res: 2.01 Created
   Location-Path: /rd/12

                 Figure 27: Example registration Registration of a group Group

   In this example, the group manager can easily permit devices that
   have no writable color-temperature to join, as they would still
   respond to brightness changing brightness-changing commands.  Had the group instead
   contained a single resource that sets brightness and color color-
   temperature atomically, endpoints would need to support both
   properties.

   The resources of a group can be looked up like any other resource,
   and the group registrations (along with any additional registration
   parameters) can be looked up using the endpoint lookup interface.

   The following example shows a client performing an endpoint lookup
   for all groups. groups:

   Req: GET /rd-lookup/ep?et=core.rd-group

   Res: 2.05 Content
   Payload:
   </rd/12>;ep=lights&et=core.rd-group;
            base="coap://[ff35:30:2001:f1:db8::8000:1]";rt=core.rd-ep

                    Figure 28: Example lookup Lookup of groups Groups

   The following example shows a client performing a lookup of all
   resources of all endpoints (groups) with et=core.rd-group. et=core.rd-group:

   Req: GET /rd-lookup/res?et=core.rd-group

   Res: 2.05 Content
   Payload:
   <coap://[ff35:30:2001:db8:f1::8000:1]/light>;
        rt="tag:example.com,2020:light";
        if="tag:example.net,2020:actuator",
   <coap://[ff35:30:2001:db8:f1::8000:1]/color-temperature>;
        if="tag:example.net,2020:parameter";u=K,

            Figure 29: Example lookup Lookup of resources inside groups Resources Inside Groups

Appendix B.  Web links Links and the Resource Directory

   Understanding the semantics of a link-format document and its URI
   references is a journey through different documents ([RFC3986]
   defining URIs, [RFC6690] defining link-format documents based on
   [RFC8288]
   [RFC8288], which defines Link header fields, and [RFC7252] providing
   the transport).  This appendix summarizes the mechanisms and
   semantics at play from an entry in /.well-known/core to a resource
   lookup.

   This text is primarily aimed at people entering the field of
   Constrained Restful Environments from applications that previously
   did not use web mechanisms.

B.1.  A simple example Simple Example

   Let's start this example with a very simple host, 2001:db8:f0::1.  A
   client that follows classical CoAP Discovery ([RFC7252] discovery ([RFC7252], Section 7), 7)
   sends the following multicast request to learn about neighbours neighbors
   supporting resources with resource-type "temperature".

   The client sends a link-local multicast:

   Req: GET coap://[ff02::fd]:5683/.well-known/core?rt=temperature

   Res: 2.05 Content
   Payload:
   </sensors/temp>;rt=temperature;ct=0

              Figure 30: Example of direct resource discovery Direct Resource Discovery

   where the response is sent by the server, [2001:db8:f0::1]:5683.

   While the client -- on the practical or implementation side -- can
   just go ahead and create a new request to [2001:db8:f0::1]:5683 with
   Uri-Path:
   Uri-Path sensors and temp, the full resolution steps for insertion
   into and retrieval from the RD without any shortcuts are: are as follows.

B.1.1.  Resolving the URIs

   The client parses the single returned record.  The link's target
   (sometimes called "href") is "/sensors/temp", /sensors/temp, which is a relative URI
   that needs resolving.  The base URI <coap://[ff02::fd]:5683/.well-
   known/core> is used to resolve the reference /sensors/temp against. against /sensors/temp.

   The Base base URI of the requested resource can be composed from the
   options of the CoAP GET request by following the steps of [RFC7252]
   section [RFC7252],
   Section 6.5 (with an addition at the end of Section 8.2) into
   "coap://[2001:db8:f0::1]/.well-known/core".
   coap://[2001:db8:f0::1]/.well-known/core.

   Because "/sensors/temp" /sensors/temp starts with a single slash, the record's target
   is resolved by replacing the path "/.well-known/core" /.well-known/core from the
   Base base URI (section 5.2 [RFC3986])
   ([RFC3986], Section 5.2) with the relative target URI
   "/sensors/temp" /sensors/temp
   into "coap://[2001:db8:f0::1]/sensors/temp". coap://[2001:db8:f0::1]/sensors/temp.

B.1.2.  Interpreting attributes Attributes and relations Relations

   Some more information but the record's target can be obtained from
   the payload: the resource type of the target is "temperature", and
   its content format is text/plain (ct=0).

   A relation in a web link is a three-part statement that specifies a
   named relation between the so-called "context resource" and the
   target resource, like "_This page_ has _its table of contents_ at _/
   toc.html_".  In link format link-format documents, there is an implicit "host
   relation" specified with default parameter: parameter rel="hosts".

   In our example, the context resource of the link is implied to be
   "coap:://[2001:db8:f0::1]" by the default value of the anchor (see
   Appendix B.4).  A full English expression of the "host relation" is:

   'coap://[2001:db8:f0::1]

      coap://[2001:db8:f0::1] is hosting the resource
      coap://[2001:db8:f0::1]/sensors/temp, which is of the resource
      type "temperature" and can be accessed using the text/plain
      content
   format.' format.

B.2.  A slightly more complex example Slightly More Complex Example

   Omitting the rt=temperature filter, the discovery query would have
   given some more records in the payload:

   Req: GET coap://[ff02::fd]:5683/.well-known/core

   Res: 2.05 Content
   Payload:
   </sensors/temp>;rt=temperature;ct=0,
   </sensors/light>;rt=light-lux;ct=0,
   </t>;anchor="/sensors/temp";rel=alternate,
   <http://www.example.com/sensors/t123>;anchor="/sensors/temp";
       rel=describedby

          Figure 31: Extended example Example of direct resource discovery Direct Resource Discovery

   Parsing the third record, the client encounters the "anchor"
   parameter.  It is a URI relative to the Base base URI of the request and
   is thus resolved to "coap://[2001:db8:f0::1]/sensors/temp". coap://[2001:db8:f0::1]/sensors/temp.  That is
   the context resource of the link, so the "rel" statement is not about
   the target and the Base base URI any more, more but about the target and the
   resolved URI.  Thus, the third record could be read as
   "coap://[2001:db8:f0::1]/sensors/temp
   coap://[2001:db8:f0::1]/sensors/temp has an alternate representation
   at coap://[2001:db8:f0::1]/t". coap://[2001:db8:f0::1]/t.

   Following the same resolution steps, the fourth record can be read as
   "coap://[2001:db8:f0::1]/sensors/temp
   coap://[2001:db8:f0::1]/sensors/temp is described by
   http://www.example.com/sensors/t123".
   http://www.example.com/sensors/t123.

B.3.  Enter the Resource Directory

   The RD tries to carry the semantics obtainable by classical CoAP
   discovery over to the resource lookup interface as faithfully as
   possible.

   For the following queries, we will assume that the simple host has
   used Simple Registration simple registration to register at the RD that was announced to
   it, sending this request from its UDP port [2001:db8:f0::1]:6553:

   Req: POST coap://[2001:db8:f01::ff]/.well-known/rd?ep=simple-host1

   Res: 2.04 Changed

                Figure 32: Example of a simple registration Simple Registration

   The RD would have accepted the registration, registration and queried the simple
   host's /.well-known/core by itself.  As a result, the host is
   registered as an endpoint in the RD with the name "simple-host1".
   The registration is active for 90000 seconds, and the endpoint
   registration Base base URI is "coap://[2001:db8:f0::1]" coap://[2001:db8:f0::1], following the
   resolution steps described in Appendix B.1.1.  It should be remarked
   that the Base base URI constructed that way always yields a URI of the
   form:
   form scheme://authority without path suffix.

   If the client now queries the RD as it would previously have issued a
   multicast request, it would go through the RD discovery steps by
   fetching coap://[2001:db8:f0::ff]/.well-known/core?rt=core.rd-lookup-
   res, obtain coap://[2001:db8:f0::ff]/rd-lookup/res as the resource
   lookup endpoint, and ask it for all temperature resources:

   Req: GET coap://[2001:db8:f0::ff]/rd-lookup/res?rt=temperature

   Res: 2.05 Content
   Payload:
   <coap://[2001:db8:f0::1]/sensors/temp>;rt=temperature;ct=0

           Figure 33: Example exchange performing resource lookup Exchange Performing Resource Lookup

   This is not _literally_ the same response that it would have received
   from a multicast request, but it contains the equivalent statement:

   'coap://[2001:db8:f0::1]

      coap://[2001:db8:f0::1] is hosting the resource
      coap://[2001:db8:f0::1]/sensors/temp, which is of the resource
      type "temperature" and can be accessed using the text/plain
      content
   format.' format.

   To complete the examples, the client could also query all resources
   hosted at the endpoint with the known endpoint name "simple-host1":

   Req: GET coap://[2001:db8:f0::ff]/rd-lookup/res?ep=simple-host1

   Res: 2.05 Content
   Payload:
   <coap://[2001:db8:f0::1]/sensors/temp>;rt=temperature;ct=0,
   <coap://[2001:db8:f0::1]/sensors/light>;rt=light-lux;ct=0,
   <coap://[2001:db8:f0::1]/t>;
       anchor="coap://[2001:db8:f0::1]/sensors/temp";rel=alternate,
   <http://www.example.com/sensors/t123>;
       anchor="coap://[2001:db8:f0::1]/sensors/temp";rel=describedby

      Figure 34: Extended example exchange performing resource lookup Example Exchange Performing Resource Lookup

   All the target and anchor references are already in absolute form
   there, which don't need to be resolved any further.

   Had the simple host done an equivalent full registration with a base=
   parameter (e.g. (e.g., ?ep=simple-host1&base=coap+tcp://simple-
   host1.example.com), that context would have been used to resolve the
   relative anchor values instead, giving the following and analogous
   records:

   <coap+tcp://simple-host1.example.com/sensors/temp>;rt=temperature;ct=0

       Figure 35: Example payload Payload of a response Response to a resource lookup Resource Lookup
                         with a dedicated base Dedicated Base URI

   and analogous records.

B.4.  A note Note on differences Differences between link-format Link-Format and Link header fields Header Fields

   While link-format and Link header fields look very similar and are
   based on the same model of typed links, there are some differences
   between [RFC6690] and [RFC8288].  When implementing an RD or
   interacting with an RD, care must be taken to follow the [RFC6690] behavior
   described in [RFC6690] whenever application/link-format
   representations are used.

   *  "Default value of anchor": Both under Under both [RFC6690] and [RFC8288],
      relative references in the term inside the angle brackets (the
      target) and the anchor attribute are resolved against the relevant
      base URI (which usually is the URI used to retrieve the entity), entity)
      and independent of each other.

      When, in an [RFC8288] a Link header, header [RFC8288], the anchor attribute is absent,
      the link's context is the URI of the selected representation (and
      usually equal to the base URI).

      In [RFC6690] links, links per [RFC6690], if the anchor attribute is absent, the
      default value is the Origin of (for all relevant cases: cases, the URI
      reference / resolved against) the link's target.

   *  There is no percent encoding in link-format documents.

      A link-format document is a UTF-8 encoded UTF-8-encoded string of Unicode
      characters and does not have percent encoding, while Link header
      fields are practically ASCII strings that use percent encoding for
      non-ASCII characters, stating the encoding explicitly when
      required.

      For example, while a Link header field in a page about a Swedish
      city might read read:

      Link: </temperature/Malm%C3%B6>;rel=live-environment-data

      a link-format document from the same source might describe the
      link as as:

      </temperature/Malmö>;rel=live-environment-data

Appendix C.  Limited Link Format

   The CoRE Link Format Format, as described in [RFC6690] [RFC6690], has been interpreted
   differently by implementers, and a strict implementation rules out
   some use cases of an RD (e.g. (e.g., base values with path components in
   combination with absent anchors).

   This appendix describes a subset of link format documents called the
   Limited Link Format.  The one rule herein is not very limiting in
   practice -- all examples in RFC6690, [RFC6690] and all deployments the authors
   are aware of already stick to them -- but ease eases the implementation of
   RD servers.

   It is applicable to representations in the application/link-format
   media type, type and any other media types that inherit [RFC6690] [RFC6690],
   Section 2.1.

   A link format representation is in the Limited Link format Format if, for
   each link in it, the following applies:

   All URI references either follow the URI or the path-absolute ABNF
   rule of RFC3986 (i.e. [RFC3986] (i.e, the target and anchor each either start with
   a scheme or with a single slash).

11.

Acknowledgments

   Oscar Novo, Srdjan Krco, Szymon Sasin, Kerry Lynn, Esko Dijk, Anders
   Brandt, Matthieu Vial, Jim Schaad, Mohit Sethi, Hauke Petersen,
   Hannes Tschofenig, Sampo Ukkola, Linyi Tian, Jan Newmarch, Matthias
   Kovatsch, Jaime Jimenez Jimenez, and Ted Lemon have provided helpful
   comments,
   discussions discussions, and ideas to improve and shape this document.
   Zach would also like to thank his colleagues from the EU FP7 SENSEI
   project, where many of the RD concepts were originally developed.

Authors' Addresses

   Christian Amsüss (editor)
   Hollandstr. 12/4
   1020
   Austria

   Phone: +43-664-9790639
   Email: christian@amsuess.com

   Zach Shelby
   ARM
   150 Rose Orchard
   San Jose,  95134
   United States of America

   Phone: +1-408-203-9434
   Email: zach.shelby@arm.com

   Michael Koster
   SmartThings
   665 Clyde Avenue
   Mountain View,  94043
   United States of America

   Phone: +1-707-502-5136
   Email: Michael.Koster@smartthings.com

   Carsten Bormann
   Universitaet Bremen TZI
   Postfach 330440
   D-28359 Bremen
   Germany

   Phone: +49-421-218-63921
   Email: cabo@tzi.org

   Peter van der Stok
   consultant
   Consultant

   Phone: +31-492474673 (Netherlands), +33-966015248 (France)
   Email: consultancy@vanderstok.org
   URI:   www.vanderstok.org